
<!doctype html>
<html lang="en-US">
  <head>
  <meta charset="utf-8">
  <meta http-equiv="x-ua-compatible" content="ie=edge">
  <meta name="viewport" content="width=device-width, initial-scale=1">
  <link rel="apple-touch-icon" sizes="180x180" href="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v5/favicon/icon-Unit42-180x180.png">
	<link rel="icon" type="image/png" sizes="32x32" href="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v5/favicon/icon-Unit42-32x32.png">
	<link rel="icon" type="image/png" sizes="16x16" href="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v5/favicon/icon-Unit42-16x16.png">
	<link rel="manifest" href="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v5/favicon/site.webmanifest">
	<link rel="mask-icon" href="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v5/favicon/safari-pinned-tab.svg" color="#000000">
	<meta name="msapplication-TileColor" content="#000000">
	<meta name="theme-color" content="#000">
        <script type="text/javascript">
var main_site_url = 'https://www.paloaltonetworks.com';
var maindomain_lang = 'https://www.paloaltonetworks.com';
function getParameterByName(name, url) {
		if(url == null){
		  url = window.location.href;
		}
	    name = name.replace(/[\[\]]/g, '\\$&');
	    var regex = new RegExp('[?&]' + name + '(=([^&#]*)|&|#|$)'),
		results = regex.exec(url);
	    if (!results) return null;
	    if (!results[2]) return '';
	    return decodeURIComponent(results[2].replace(/\+/g, ' '));
	}
	var container_q = getParameterByName('container');
	var d_lang = 'en';	
	if(container_q != '' && container_q != null){	    
	    sessionStorage.setItem('container',container_q);
	    	    location.href = 'https://unit42.paloaltonetworks.com/mirai-variant-targets-iot-exploits';
	}
</script>
<style type="text/css">
@font-face{font-family:'Merriweather';font-style:normal;font-weight:300;font-display:swap;src:url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-300.eot');src:local('Merriweather Light'),local('Merriweather-Light'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-300.eot?#iefix') format('embedded-opentype'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-300.woff2') format('woff2'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-300.woff') format('woff'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-300.ttf') format('truetype'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-300.svg#Merriweather') format('svg')}
@font-face{font-family:'Merriweather';font-style:italic;font-weight:300;font-display:swap;src:url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-300italic.eot');src:local('Merriweather Light Italic'),local('Merriweather-LightItalic'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-300italic.eot?#iefix') format('embedded-opentype'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-300italic.woff2') format('woff2'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-300italic.woff') format('woff'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-300italic.ttf') format('truetype'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-300italic.svg#Merriweather') format('svg')}
@font-face{font-family:'Merriweather';font-style:normal;font-weight:400;font-display:swap;src:url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-regular.eot');src:local('Merriweather Regular'),local('Merriweather-Regular'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-regular.eot?#iefix') format('embedded-opentype'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-regular.woff2') format('woff2'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-regular.woff') format('woff'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-regular.ttf') format('truetype'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-regular.svg#Merriweather') format('svg')}
@font-face{font-family:'Merriweather';font-style:italic;font-weight:400;font-display:swap;src:url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-italic.eot');src:local('Merriweather Italic'),local('Merriweather-Italic'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-italic.eot?#iefix') format('embedded-opentype'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-italic.woff2') format('woff2'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-italic.woff') format('woff'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-italic.ttf') format('truetype'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-italic.svg#Merriweather') format('svg')}
@font-face{font-family:'Merriweather';font-style:normal;font-weight:700;font-display:swap;src:url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-700.eot');src:local('Merriweather Bold'),local('Merriweather-Bold'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-700.eot?#iefix') format('embedded-opentype'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-700.woff2') format('woff2'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-700.woff') format('woff'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-700.ttf') format('truetype'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-700.svg#Merriweather') format('svg')}
@font-face{font-family:'Merriweather';font-style:italic;font-weight:700;font-display:swap;src:url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-700italic.eot');src:local('Merriweather Bold Italic'),local('Merriweather-BoldItalic'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-700italic.eot?#iefix') format('embedded-opentype'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-700italic.woff2') format('woff2'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-700italic.woff') format('woff'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-700italic.ttf') format('truetype'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-700italic.svg#Merriweather') format('svg')}


@font-face{font-family:'Decimal';font-style:normal;font-weight:500;font-display:swap;src:local('Decimal Medium'),local('Decimal-Medium'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/decimal/Decimal-Medium-Pro_Web.woff2') format('woff2'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/decimal/Decimal-Medium-Pro_Web.woff') format('woff'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/decimal/Decimal-Medium-Pro.otf') format('opentype')}
@font-face{font-family:'Decimal';font-style:italic;font-weight:500;font-display:swap;src:local('Decimal Medium'),local('Decimal-Medium'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/decimal/Decimal-MediumItalic-Pro_Web.woff2') format('woff2'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/decimal/Decimal-MediumItalic-Pro_Web.woff') format('woff'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/decimal/Decimal-MediumItalic-Pro.otf') format('opentype')}
@font-face{font-family:'Decimal';font-style:normal;font-weight:600;font-display:swap;src:local('Decimal SemiBold'),local('Decimal-SemiBold'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/decimal/Decimal-Semibold-Pro_Web.woff2') format('woff2'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/decimal/Decimal-Semibold-Pro_Web.woff') format('woff'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/decimal/Decimal-Semibold-Pro.otf') format('opentype')}
@font-face{font-family:'Decimal';font-style:italic;font-weight:600;font-display:swap;src:local('Decimal SemiBold'),local('Decimal-SemiBold'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/decimal/Decimal-SemiboldItalic-Pro_Web.woff2') format('woff2'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/decimal/Decimal-SemiboldItalic-Pro_Web.woff') format('woff'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/decimal/Decimal-SemiboldItalic-Pro.otf') format('opentype')}
@font-face{font-family:'Decimal';font-style:normal;font-weight:700;font-display:swap;src:local('Decimal Bold'),local('Decimal-Bold'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/decimal/Decimal-Bold-Pro_Web.woff2') format('woff2'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/decimal/Decimal-Bold-Pro_Web.woff') format('woff'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/decimal/Decimal-Bold-Pro.otf') format('opentype')}
@font-face{font-family:'Decimal';font-style:italic;font-weight:700;font-display:swap;src:local('Decimal Bold'),local('Decimal-Bold'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/decimal/Decimal-BoldItalic-Pro_Web.woff2') format('woff2'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/decimal/Decimal-BoldItalic-Pro_Web.woff') format('woff'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/decimal/Decimal-BoldItalic-Pro.otf') format('opentype')}    

.nav {
    display: flex;
    flex-wrap: wrap;
    padding-left: 0;
    margin-bottom: 0;
    list-style: none;
}
dl, ol, ul {
    margin-top: 0;
    margin-bottom: 1rem;
}
.nav-link {
    display: block;
    padding: .5rem 1rem;
}
.productNav2021Component .btn {
    flex-grow: 0;
    flex-shrink: 0;
    display: inline-block;
    font-family: Decimal,Arial,"Helvetica Neue",Helvetica,sans-serif;
    font-weight: 600;
    color: #141414;
    text-align: center;
    vertical-align: middle;
    user-select: none;
    background-color: transparent;
    border: 2px solid transparent;
    border-radius: 50px;
    transition: box-shadow .15s ease-in-out;
}

.productNav2021Component .btn-primary{
    display: inline-flex;
    align-items: center;
    text-decoration: none;
    max-width: 100%;
    text-align: left;
    background-color: #fa582d;
    color: #141414;
    position: relative;
}
.productNav2021Component .btn-primary.focus,.productNav2021Component  .btn-primary:focus{
    color: #141414;
    border-color: #00c0e8;
}
.productNav2021Component .btn-primary:hover, .productNav2021Component .btn-primary-outline:hover,  .productNav2021Component .btn-black:hover, .productNav2021Component .btn-white:hover {
    background-color: #fb7652;
}
.productNav2021Component .btn{
    height:auto;
}
.productNav2021Component .btn:hover {
    color: #141414;
    text-decoration: none;
    border-color: transparent;
}
.productNav2021Component .btn-dark,.productNav2021Component .btn-outline-dark{
    display: inline-flex;
    align-items: center;
    text-decoration: none;
    max-width: 100%;
    text-align: left;
    background: 0;
    color: #fff;
    position: relative;
}
.productNav2021Component .btn-dark i, .productNav2021Component .btn-outline-dark i {
    width: 20px;
    height: 20px;
    margin-left: 15px;
    flex-grow: 0;
    flex-shrink: 0;
    display: inline-block;
    background-size: contain;
    background-position: center;
    background-repeat: no-repeat;
    background-image: url('https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-white.svg');
}
.productNav2021Component .btn-dark:hover{
    color: #999;
}
.productNav2021Component .btn-dark:not(:disabled):not(.disabled):active,.productNav2021Component .btn-dark:hover{
    background-color: transparent;
    border-color: transparent;
}
.productNav2021Component .btn-dark:not(:disabled):not(.disabled):active:focus{
    box-shadow: none;
}
.productNav2021Component .display-2{
    font-family: Merriweather,Georgia,serif;
    font-weight: 400;
    color: #5f5f5f;
    font-size: 14px;
    line-height: 24px;
} 
.panClean .ar-1-1 img,.panClean .ar-4-3 img,.panClean .ar-3-2 img,.panClean .ar-3-4 img,.panClean .ar-12-17 img,.panClean .ar-16-7 img,.panClean .ar-16-9 img{
    position:absolute;
    width:100%;
    height:100%;
    object-fit:contain;
    font-family:'object-fit: contain;'
}
.panClean .ar-3-2{padding-bottom:66.6666667%}
.panClean .ar-1-1,.panClean .ar-4-3,.panClean .ar-3-2,.panClean .ar-3-4,.panClean .ar-12-17,.panClean .ar-16-7,.panClean .ar-16-9{display:inline-block;width:100%;height:0;overflow:hidden;position:relative;margin:0}
.panClean .ar-16-9{padding-bottom:52.25%}
.panClean .ar-3-4{padding-bottom:133.3333333%}
.productNav2021Component .container,.productNav2021Component .container-fluid,.productNav2021Component .container-sm,.productNav2021Component .container-md,.productNav2021Component .container-lg,.productNav2021Component .container-xl{width:100%;padding-right:15px;padding-left:15px;margin-right:auto;margin-left:auto}

/** [Start] custom css, not copied from main site **/
.productNav2021Component a, button, input[type=reset], input[type=submit]{
    transition: none;
}
.panClean .productNav2021Component .prisma-2021-nav-main .btn.btn-primary {
    height: auto;
}
.pan-search-coveo-header .magic-box-clear{
    display: block!important;
}
.no-scroll{overflow:hidden !important}
/** [End] custom css, not copied from main site **/
@media (min-width: 576px){
.productNav2021Component .container-fluid {
    width: auto;
    margin-left: 7.14285714%;
    margin-right: 7.14285714%;
}
}
@media(min-width:768px){.productNav2021Component .btn{padding:13px 24px;font-size:16px;line-height:20px}}
@media(min-width:768px){.productNav2021Component .btn{padding:13px 24px;font-size:16px;line-height:20px}
.productNav2021Component .btn-light,.productNav2021Component .btn-dark{padding-left:0;padding-right:0}
.productNav2021Component .btn-link{padding:5px 0}
.productNav2021Component .btn-lg,.productNav2021Component .btn-group-lg>.btn{padding:20px 40px;font-size:18px}
.productNav2021Component .btn-sm,.productNav2021Component .btn-group-sm>.btn{padding:10px 20px;font-size:14px}
}
@media(max-width:767.98px){.productNav2021Component .btn{padding:10px 20px;font-size:14px;line-height:18px;}}
@media(max-width:767.98px){
    .productNav2021Component .btn-dark{padding-left:0;padding-right:0}
}    
.wpp-meta {
    display: none !important;
}
</style>   
<link rel='stylesheet'  href='https://www.paloaltonetworks.com/etc.clientlibs/panClean/components/mainNavigationComp/clientlibs/panClean/criticalTop.min.css' type='text/css' media='all' />
<!--<link rel='stylesheet' href='https://www.paloaltonetworks.com/etc.clientlibs/panClean/components/mainNavigationComp/clientlibs/panClean/defered.min.css' media='all' />
<link rel='stylesheet' href='https://www.paloaltonetworks.com/etc/clientlibs/clean/panClean/prisma/defered.min.css' media='all' />-->
<link rel='stylesheet' href='https://www.paloaltonetworks.com/etc.clientlibs/panClean/components/mainNavigationComp/clientlibs/panClean/criticalTopProductNav.min.css' media='all' />
<link rel='stylesheet' href='https://www.paloaltonetworks.com/etc.clientlibs/panClean/components/mainNavigationComp/clientlibs/panClean/deferedProductNav.min.css' media='all' />
    <meta name='robots' content='index, follow, max-image-preview:large, max-snippet:-1, max-video-preview:-1' />
<link rel="alternate" hreflang="en" href="https://unit42.paloaltonetworks.com/mirai-variant-targets-iot-exploits/" />
<link rel="alternate" hreflang="ja" href="https://unit42.paloaltonetworks.jp/mirai-variant-targets-iot-exploits/" />
<link rel="alternate" hreflang="x-default" href="https://unit42.paloaltonetworks.com/mirai-variant-targets-iot-exploits/" />

	<!-- This site is optimized with the Yoast SEO Premium plugin v19.6 (Yoast SEO v19.13) - https://yoast.com/wordpress/plugins/seo/ -->
	<title>IoT Under Siege: The Anatomy of the Latest Mirai Campaign Leveraging Multiple IoT Exploits</title>
	<meta name="description" content="Mirai is a still-active botnet with new variants. We highlight observed exploitation of IoT vulnerabilities — due to low complexity and high impact." />
	<link rel="canonical" href="https://unit42.paloaltonetworks.com/mirai-variant-targets-iot-exploits/" />
	<meta property="og:locale" content="en_US" />
	<meta property="og:type" content="article" />
	<meta property="og:title" content="IoT Under Siege: The Anatomy of the Latest Mirai Campaign Leveraging Multiple IoT Exploits" />
	<meta property="og:description" content="Mirai is a still-active botnet with new variants. We highlight observed exploitation of IoT vulnerabilities — due to low complexity and high impact." />
	<meta property="og:url" content="https://unit42.paloaltonetworks.com/mirai-variant-targets-iot-exploits/" />
	<meta property="og:site_name" content="Unit 42" />
	<meta property="article:published_time" content="2023-06-22T13:00:03+00:00" />
	<meta property="article:modified_time" content="2023-06-21T19:49:47+00:00" />
	<meta property="og:image" content="https://unit42.paloaltonetworks.com/wp-content/uploads/2023/06/Unit42-blog-2by1-characters-r4d1-2020_IoT-green.png" />
	<meta property="og:image:width" content="600" />
	<meta property="og:image:height" content="300" />
	<meta property="og:image:type" content="image/png" />
	<meta name="author" content="Chao Lei, Zhibin Zhang, Yiheng An, Cecilia Hu" />
	<meta name="twitter:card" content="summary_large_image" />
	<!-- / Yoast SEO Premium plugin. -->


<link rel='dns-prefetch' href='//www.google.com' />
<link rel="alternate" type="application/rss+xml" title="Unit 42 &raquo; IoT Under Siege: The Anatomy of the Latest Mirai Campaign Leveraging Multiple IoT Exploits Comments Feed" href="https://unit42.paloaltonetworks.com/mirai-variant-targets-iot-exploits/feed/" />
<script type="text/javascript">
var globalConfig = {};
globalConfig.buildName = "UniqueResourceAssetsID_DEC022022";
</script>
<meta property="og:likes" content="9"/>
<meta property="og:readtime" content="11"/>
<meta property="og:views" content="26,750"/>
<meta property="og:date_created" content="June 22, 2023 at 6:00 AM"/>
<meta property="og:post_length" content="2730"/>
<meta property="og:category" content="Malware"/>
<meta property="og:category_link" content="https://unit42.paloaltonetworks.com/category/malware-2/"/>
<meta property="og:author" content="Chao Lei"/>
<meta property="og:author" content="Zhibin Zhang"/>
<meta property="og:author" content="Yiheng An"/>
<meta property="og:author" content="Cecilia Hu"/>
<meta property="og:authorlink" content="https://unit42.paloaltonetworks.com/author/"/>
<meta property="og:authorlink" content="https://unit42.paloaltonetworks.com/author/zhibin-zhang/"/>
<meta property="og:authorlink" content="https://unit42.paloaltonetworks.com/author/"/>
<meta property="og:authorlink" content="https://unit42.paloaltonetworks.com/author/mengying-hu/"/>
<meta property="og:author_image_link" content="https://unit42.paloaltonetworks.com/wp-content/uploads/2018/11/unit-news-meta.svg"/>
<meta property="og:author_image_link" content="https://unit42.paloaltonetworks.com/wp-content/uploads/2018/11/unit-news-meta.svg"/>
<meta property="og:author_image_link" content="https://unit42.paloaltonetworks.com/wp-content/uploads/2018/11/unit-news-meta.svg"/>
<meta property="og:author_image_link" content="https://unit42.paloaltonetworks.com/wp-content/uploads/2018/11/unit-news-meta.svg"/>
<meta name="post_tags" content="Advanced Threat Prevention,Advanced URL Filtering,botnet,Cloud-Delivered Security Services,CVE-2019-12725,CVE-2019-17621,CVE-2019-20500,CVE-2021-25296,CVE-2021-46422,CVE-2022-27002,CVE-2022-29303,CVE-2022-30023,CVE-2022-30525,CVE-2022-31499,CVE-2022-36266,CVE-2022-40005,CVE-2022-45699,CVE-2023-1389,CVE-2023-25280,CVE-2023-27240,IoT,IoT Security,Mirai,next-generation firewall,WildFire"/>
<meta property="og:post_image" content="https://unit42.paloaltonetworks.com/wp-content/uploads/2023/06/Unit42-blog-2by1-characters-r4d1-2020_IoT-green.png"/>
<script type="application/ld+json">{"@context":"https:\/\/schema.org","@type":"BlogPosting","headline":"IoT Under Siege: The Anatomy of the Latest Mirai Campaign Leveraging Multiple IoT Exploits","name":"IoT Under Siege: The Anatomy of the Latest Mirai Campaign Leveraging Multiple IoT Exploits","description":"Mirai is a still-active botnet with new variants. We highlight observed exploitation of IoT vulnerabilities \u2014 due to low complexity and high impact.","url":"https:\/\/unit42.paloaltonetworks.com\/mirai-variant-targets-iot-exploits\/","mainEntityOfPage":"https:\/\/unit42.paloaltonetworks.com\/mirai-variant-targets-iot-exploits\/","datePublished":"June 22, 2023","articleBody":"Executive Summary\r\nSince March 2023, Unit 42 researchers have observed threat actors leveraging several IoT vulnerabilities to spread a variant of the Mirai botnet. The vulnerabilities exploited include those listed in the following table:\r\n\r\n\r\n\r\nCVE\/Product\r\nDescription\r\n\r\n\r\nCVE-2019-12725\r\nZeroshell Remote Command Execution Vulnerability\r\n\r\n\r\nCVE-2019-17621\r\nD-Link DIR-859 Remote Command Injection Vulnerability\r\n\r\n\r\nCVE-2019-20500\r\nD-Link DWL-2600AP Remote Command Execution Vulnerability\r\n\r\n\r\nCVE-2021-25296\r\nNagios XI Remote Command Injection Vulnerability\r\n\r\n\r\nCVE-2021-46422\r\nTelesquare SDT-CW3B1 Router Command Injection Vulnerability\r\n\r\n\r\nCVE-2022-27002\r\nArris TR3300 Remote Command Injection Vulnerability\r\n\r\n\r\nCVE-2022-29303\r\nSolarView Compact Command Injection Vulnerability\r\n\r\n\r\nCVE-2022-30023\r\nTenda HG9 Router Command Injection Vulnerability\r\n\r\n\r\nCVE-2022-30525\r\nZyxel Command Injection Vulnerability\r\n\r\n\r\nCVE-2022-31499\r\nNortek Linear eMerge Command Injection Vulnerability\r\n\r\n\r\nCVE-2022-37061\r\nFLIR AX8 Unauthenticated OS Command Injection Vulnerability\r\n\r\n\r\nCVE-2022-40005\r\nIntelbras WiFiber 120 AC inMesh Command Injection Vulnerability\r\n\r\n\r\nCVE-2022-45699\r\nAPsystems ECU-R Remote Command Execution Vulnerability\r\n\r\n\r\nCVE-2023-1389\r\nTP-Link Archer Router Command Injection Vulnerability\r\n\r\n\r\nCVE-2023-25280\r\nD-link DIR820LA1_FW105B03 Command injection vulnerability\r\n\r\n\r\nCVE-2023-27240\r\nTenda AX3 Command Injection Vulnerability\r\n\r\n\r\nCCTV\/DVR\r\nCCTV\/DVR Remote Code Execution\r\n\r\n\r\nEnGenius EnShare\r\nEnGenius EnShare Remote Code Execution Vulnerability\r\n\r\n\r\nMVPower DVR\r\nMVPower DVR Shell Unauthenticated Command Execution Vulnerability\r\n\r\n\r\nNetgear DGN1000\r\nNetgear DGN1000 Remote Code Execution Vulnerability\r\n\r\n\r\nVacron NVR\r\nVacron NVR Remote Code Execution Vulnerability\r\n\r\n\r\nMediaTek WiMAX\r\nMediaTek WiMAX Remote Code Execution\r\n\r\n\r\n\r\nThe threat actors have the ability to gain complete control over the compromised devices, integrating those devices into the botnet. These devices are then used to execute additional attacks, including distributed denial-of-service (DDoS) attacks.\r\n\r\nPalo Alto Networks Next-Generation Firewall customers receive protection through Cloud-Delivered Security Services such as Internet of Things (IoT) Security, Advanced Threat Prevention, WildFire and Advanced URL Filtering, which can help detect and block the exploit traffic and malware.\r\n\r\n\r\n\r\nRelated Unit 42 Topics\r\nIoT, Mirai, botnet\r\n\r\n\r\n\r\nTable of Contents\r\nCampaign Analysis\r\nMalware Analysis\r\nConclusion\r\nIndicators of Compromise\r\nShell Script Downloader Samples\r\nMirai Samples\r\nInfrastructure\r\nAdditional Resources\r\nAppendix\r\nCampaign Analysis\r\nOn March 14, 2023, Unit 42 researchers observed some remote command execution exploit traffic from our internal threat-hunting system, originating from 185.44.81[.]114. The threat actor tried to download a shell script downloader as a file named y from hxxp:\/\/zvub[.]us\/.\r\n\r\nIf executed, the shell script downloader would download and execute the following bot clients to accommodate different Linux architectures:\r\n\r\n \thxxp:\/\/185.225.74[.]251\/armv4l\r\n \thxxp:\/\/185.225.74[.]251\/armv5l\r\n \thxxp:\/\/185.225.74[.]251\/armv6l\r\n \thxxp:\/\/185.225.74[.]251\/armv7l\r\n \thxxp:\/\/185.225.74[.]251\/mips\r\n \thxxp:\/\/185.225.74[.]251\/mipsel\r\n \thxxp:\/\/185.225.74[.]251\/sh4\r\n \thxxp:\/\/185.225.74[.]251\/x86_64\r\n \thxxp:\/\/185.225.74[.]251\/i686\r\n \thxxp:\/\/185.225.74[.]251\/i586\r\n \thxxp:\/\/185.225.74[.]251\/arc\r\n \thxxp:\/\/185.225.74[.]251\/m68k\r\n \thxxp:\/\/185.225.74[.]251\/sparc\r\n\r\nAfter executing the bot client, the shell script downloader will delete the client executable file to cover its tracks.\r\n\r\nUnit 42 researchers conducted an analysis of the malware host domain and found out there are two IP addresses corresponding to the domain zvub[.]us:\r\n\r\n \t185.44.81[.]114 (From Aug. 15, 2022, to March 24, 2023)\r\n \t185.225.74[.]251 (After March 25, 2023)\r\n\r\nUpon conducting a thorough retrospective analysis, we noticed telnet brute force attempts from 185.44.81[.]114 since Oct. 6, 2022, and attempts to exploit multiple vulnerabilities since March 14, 2023.\r\n\r\nUnit 42 researchers also noticed another campaign from source IP 193.32.162[.]189 since April 11, 2023, that delivers the same shell downloader from zvub[.]us, as shown in Figure 1. Based on our analysis, we believe that the same threat actor operated these two campaigns for the following reasons:\r\n\r\n \tThe two campaigns share the same infrastructure.\r\n \tThe botnet samples are almost identical.\r\n\r\n[caption id=\"attachment_128827\" align=\"aligncenter\" width=\"900\"] Figure 1. Vulnerability exploit attempts.[\/caption]\r\n\r\nFigure 2 is a diagram illustrating the campaign overview.\r\n\r\n[caption id=\"attachment_128829\" align=\"aligncenter\" width=\"900\"] Figure 2. Campaign overview diagram.[\/caption]\r\nMalware Analysis\r\nBased on behavior and patterns Unit 42 researchers observed while analyzing the downloaded botnet client samples, we believe the sample is a variant of the Mirai botnet.\r\n\r\nUpon execution, the botnet client prints listening tun0 to the console. The malware also contains a function that ensures only one instance of this malware runs on the same device. If a botnet process already exists, the botnet client will terminate the current running process and start a new one.\r\n\r\nFor the botnet client configuration string, the Mirai variant (like IZ1H9 and V3G4) will first initialize an encrypted string table and then retrieve the strings through an index. However, this Mirai variant will directly access the encrypted strings in the .rodata section via an index (as shown in Figure 3).\r\n\r\n[caption id=\"attachment_128831\" align=\"aligncenter\" width=\"541\"] Figure 3. Mirai variant retrieving configuration strings.[\/caption]\r\n\r\nAlso, notice that for Mirai variants like IZ1H9 and V3G4, the configuration contains a string that indicates the branch name of this variant (for example, \/bin\/busybox IZ1H9) while this variant does not have a branch name.\r\n\r\nFor the configuration decryption, this Mirai variant first uses a table key 0xDEADBEEF to generate a single-byte config decryption key 0x22, then for the encrypted configuration, the malware performs XOR decryption with the following bytewise operations:\r\nencrypted_char ^ 0x22 = decrypted_char\r\nDuring the analysis, Unit 42 researchers noticed that this Mirai sample doesn\u2019t contain the functionality to brute force telnet\/SSH login credentials and exploit vulnerabilities, which means the only channels for spreading this variant are the botnet operator\u2019s manual vulnerability exploitation attempts.\r\nConclusion\r\nThe widespread adoption of IoT devices has become a ubiquitous trend. However, the persistent security concerns surrounding these devices cannot be ignored. The Mirai botnet, discovered back in 2016, is still active today. A significant part of the reason for its popularity among threat actors lies in the security flaws of IoT devices.\r\n\r\nThese remote code execution vulnerabilities targeting IoT devices exhibit a combination of low complexity and high impact, making them an irresistible target for threat actors. As a result, protecting IoT devices against such threats becomes an urgent task.\r\n\r\nTo combat this threat, it is highly recommended that patches and updates are applied when possible.\r\n\r\nPalo Alto Networks customers receive protection against vulnerabilities and malware through the following products and services:\r\n\r\n \tNext-Generation Firewall with a Threat Prevention security subscription can block the attacks with Best Practices via Threat Prevention signatures 30760, 37073, 37752, 54659, 54553, 54537, 54619, 58706, 57437, 55795, 57191, 90873, 92611, 93863, 92626, 92714, 93859, 92579, 93044, 93283, 93587, 93872, 93749, 93874, 93973.\r\n \tAdvanced Threat Prevention has an inbuilt machine learning-based security detection that can detect exploit traffic in real time.\r\n \tWildFire can stop the malware with static signature detections.\r\n \tAdvanced URL Filtering and DNS Security are able to block the C2 domain malware-hosting URLs.\r\n \tThe Palo Alto Networks IoT security platform can leverage network traffic information to identify the vendor, model and firmware version of a device and identify specific devices that are vulnerable to the aforementioned CVEs.\r\n \tIn addition, IoT Security has an inbuilt machine learning-based anomaly detection that can alert the customer if a device exhibits nontypical behavior, such as the following:\r\n\r\n \tThe sudden appearance of traffic from a new source\r\n \tAn unusually high number of connections\r\n \tAn inexplicable surge of certain attributes typically appearing in IoT application payloads\r\n\r\n\r\n\r\nPalo Alto Networks has shared our findings, including file samples and indicators of compromise, with our fellow Cyber Threat Alliance (CTA) members. CTA members use this intelligence to rapidly deploy protections to their customers and to systematically disrupt malicious cyber actors. Learn more about the\u00a0Cyber Threat Alliance.\r\nIndicators of Compromise\r\nShell Script Downloader Samples\r\n\r\n \t888f4a852642ce70197f77e213456ea2b3cfca4a592b94647827ca45adf2a5b8\r\n\r\nMirai Samples\r\n\r\n \tb43a8a56c10ba17ddd6fa9a8ce10ab264c6495b82a38620e9d54d66ec8677b0c\r\n \tb45142a2d59d16991a38ea0a112078a6ce42c9e2ee28a74fb2ce7e1edf15dce3\r\n \t366ddbaa36791cdb99cf7104b0914a258f0c373a94f6cf869f946c7799d5e2c6\r\n \t413e977ae7d359e2ea7fe32db73fa007ee97ee1e9e3c3f0b4163b100b3ec87c2\r\n \t2d0c8ab6c71743af8667c7318a6d8e16c144ace8df59a681a0a7d48affc05599\r\n \t4cb8c90d1e1b2d725c2c1366700f11584f5697c9ef50d79e00f7dd2008e989a0\r\n \t461f59a84ccb4805c4bbd37093df6e8791cdf1151b2746c46678dfe9f89ac79d\r\n \taed078d3e65b5ff4dd4067ae30da5f3a96c87ec23ec5be44fc85b543c179b777\r\n \t0d404a27c2f511ea7f4adb8aa150f787b2b1ff36c1b67923d6d1c90179033915\r\n \teca42235a41dbd60615d91d564c91933b9903af2ef3f8356ec4cfff2880a2f19\r\n \t3f427eda4d4e18fb192d585fca1490389a1b5f796f88e7ebf3eceec51018ef4d\r\n \taaf446e4e7bfc05a33c8d9e5acf56b1c7e95f2d919b98151ff2db327c333f089\r\n \t4f53eb7fbfa5b68cad3a0850b570cbbcb2d4864e62b5bf0492b54bde2bdbe44b\r\n\r\nInfrastructure\r\n\r\n \tzvub[.]us\r\n \t185.225.74[.]251\r\n \t185.44.81[.]114\r\n \t193.32.162[.]189\r\n\r\nAdditional Resources\r\n\r\n \tTP-Link WAN-SIDE Vulnerability CVE-2023-1389 Added to the Mirai Botnet Arsenal - Zero Day Initiative\r\n \tUnit 42 Finds New Mirai and Gafgyt IoT\/Linux Botnet Campaigns - Unit 42, Palo Alto Networks\r\n \tMulti-exploit IoT\/Linux Botnets Mirai and Gafgyt Target Apache Struts, SonicWall - Unit 42, Palo Alto Networks\r\n \tOld Wine in the New Bottle: Mirai Variant Targets Multiple IoT Devices - Unit 42, Palo Alto Networks\r\n \tMirai Variant V3G4 Targets IoT Devices - Unit 42, Palo Alto Networks\r\n\r\nAppendix\r\nCampaign-related vulnerability information is listed below:\r\n\r\nCVE-2019-12725: Zeroshell Remote Command Execution Vulnerability\r\n\r\nThis malicious traffic was first detected as a part of the campaign on March 14, 2023. The command execution vulnerability is due to the failure to sanitize the value of x509type in the kerbynet component of Zeroshell\r\n\r\n[caption id=\"attachment_128833\" align=\"aligncenter\" width=\"678\"] Figure 4. CVE-2019-12725 exploit in the wild.[\/caption]\r\n\r\nCVE-2019-17621: D-Link DIR-859 Remote Command Injection Vulnerability\r\n\r\nWe captured this exploit traffic on May 1, 2023. The exploit targets a command injection vulnerability in the D-Link wireless router\u2019s \/gena.cgi component, which does not successfully sanitize the user input in the service parameter. This leads to arbitrary command execution.\r\n\r\n[caption id=\"attachment_128835\" align=\"aligncenter\" width=\"678\"] Figure 5. CVE-2019-17621 exploit in the wild.[\/caption]\r\n\r\nCVE-2019-20500: D-Link DWL-2600AP Remote Command Execution Vulnerability\r\n\r\nThe exploit was detected on April 11, 2023. The exploit works due to the D-Link wireless router admin.cgi component failing to adequately sanitize the user-supplied input data, which leads to remote command execution.\r\n\r\n[caption id=\"attachment_128837\" align=\"aligncenter\" width=\"591\"] Figure 6. CVE-2019-20500 exploit in the wild.[\/caption]\r\n\r\nCVE-2021-25296: Nagios XI Remote Command Injection Vulnerability\r\n\r\nWe observed this exploit traffic on April 11, 2023. The exploit targets the Nagios XI device\u2019s \/nagiosxi\/config\/monitoringwizard.php component. If insufficient input validation is found, the attacker can exploit the vulnerability to launch a remote command injection attack.\r\n\r\n[caption id=\"attachment_128839\" align=\"aligncenter\" width=\"678\"] Figure 7. CVE-2021-25296 exploit in the wild.[\/caption]\r\n\r\nCVE-2021-46422: Telesquare SDT-CW3B1 Router Command Injection Vulnerability\r\n\r\nThe malicious traffic was first detected on March 14, 2023. The command injection vulnerability is due to the failure to sanitize the value of the cmd parameter in the cgi-bin\/admin.cgi interface of the Telesquare router.\r\n\r\n[caption id=\"attachment_128841\" align=\"aligncenter\" width=\"678\"] Figure 8. CVE-2021-46422 exploit in the wild.[\/caption]\r\n\r\nCVE-2022-27002: Arris TR3300 Remote Command Injection Vulnerability\r\n\r\nWe captured this exploit traffic on April 14, 2023. The exploit targets a command injection vulnerability in the Arris TR3300\u2019s user.cgi component, which does not successfully sanitize the user input in the DDNS_HOST parameter. This leads to a command injection.\r\n\r\n[caption id=\"attachment_128843\" align=\"aligncenter\" width=\"678\"] Figure 9. CVE-2022-27002 exploit in the wild.[\/caption]\r\n\r\nCVE-2022-29303: SolarView Compact Command Injection Vulnerability\r\n\r\nThis exploit was detected on March 15, 2023. The exploit works due to the SolarView Compact confi_mail.php component failing to adequately sanitize the user-supplied input data, which leads to command injection.\r\n\r\n[caption id=\"attachment_128845\" align=\"aligncenter\" width=\"678\"] Figure 10. CVE-2022-29303 exploit in the wild.[\/caption]\r\n\r\nCVE-2022-30023: Tenda HG9 Router Command Injection Vulnerability\r\n\r\nWe observed this exploit traffic on March 14, 2023. The exploit targets the Tenda HG9 router\u2019s \/boaform\/formPing component. If insufficient input validation is found, the attacker can exploit the vulnerability to launch a remote code execution attack\r\n\r\n[caption id=\"attachment_128847\" align=\"aligncenter\" width=\"678\"] Figure 11. CVE-2022-30023 exploit in the wild.[\/caption]\r\n\r\nCVE-2022-30525: Zyxel Command Injection Vulnerability\r\n\r\nThis malicious traffic was first detected on March 14, 2023. The command injection vulnerability is due to the failure to sanitize the value of the mtu parameter in the \/cgi-bin\/handler interface of Zyxel.\r\n\r\n[caption id=\"attachment_128849\" align=\"aligncenter\" width=\"678\"] Figure 12. CVE-2022-30525 exploit in the wild.[\/caption]\r\n\r\nCVE-2022-31499: Nortek Linear eMerge Command Injection Vulnerability\r\n\r\nWe captured this exploit traffic on May 1, 2023. The exploit targets a command injection vulnerability in the Nortek Linear eMerge device\u2019s card_scan.php component, which does not successfully sanitize the user input in the ReaderNo parameter. This leads to remote command injection.\r\n\r\n[caption id=\"attachment_128851\" align=\"aligncenter\" width=\"678\"] Figure 13. CVE-2022-31499 exploit in the wild.[\/caption]\r\n\r\nCVE-2022-37061: FLIR AX8 Unauthenticated OS Command Injection Vulnerability\r\n\r\nThis exploit was detected on May 1, 2023. The exploit works due to the FLIR AX8 device\u2019s res.php component failing to adequately sanitize the user-supplied input data, which leads to OS command injection.\r\n\r\n[caption id=\"attachment_128853\" align=\"aligncenter\" width=\"678\"] Figure 14. CVE-2022-37061 exploit in the wild.[\/caption]\r\n\r\nCVE-2022-40005: Intelbras WiFiber 120AC inMesh Command Injection Vulnerability\r\n\r\nWe observed this exploit traffic on March 15, 2023. The exploit targets the Intelbras WiFiber device\u2019s \/boaform\/formPing6 component. If insufficient input validation is found, the attacker can exploit the vulnerability to launch a command injection attack.\r\n\r\n[caption id=\"attachment_128855\" align=\"aligncenter\" width=\"678\"] Figure 15. CVE-2022-40005 exploit in the wild.[\/caption]\r\n\r\nCVE-2022-45699: APsystems ECU-R Remote Command Execution Vulnerability\r\n\r\nThis malicious traffic was first detected on April 12, 2023. The remote command execution vulnerability is due to a failure to sanitize the value of the timezone parameter in the \/management\/set_timezone.\r\n\r\n[caption id=\"attachment_128857\" align=\"aligncenter\" width=\"678\"] Figure 16. CVE-2022-45699 exploit in the wild.[\/caption]\r\n\r\nCVE-2023-1389: TP-Link Archer Router Command Injection Vulnerability\r\n\r\nWe captured this exploit traffic on April 12, 2023. The exploit targets a command injection vulnerability in the TP-Link Archer router\u2019s cgi-bin\/luci component, which does not successfully sanitize the user input in the country parameter. This leads to arbitrary command execution.\r\n\r\n[caption id=\"attachment_128859\" align=\"aligncenter\" width=\"678\"] Figure 17. CVE-2023-1389 exploit in the wild.[\/caption]\r\n\r\nCVE-2023-25280: D-Link DIR820LA1_FW105B03 Command injection vulnerability\r\n\r\nThe exploit was detected on April 11, 2023. The exploit works due to the D-Link device \/ping.ccp component failing to adequately sanitize the user-supplied input data, which leads to a command injection vulnerability.\r\n\r\n[caption id=\"attachment_128861\" align=\"aligncenter\" width=\"678\"] Figure 18. CVE-2023-25280 exploit in the wild.[\/caption]\r\n\r\nCVE-2023-27240: Tenda AX3 Command Injection Vulnerability\r\n\r\nWe observed this exploit traffic on April 12, 2023. The exploit targets the Tenda AX3 router\u2019s \/goform\/AdvSetLanip component. If insufficient input validation is found, the attacker can exploit the vulnerability to launch a remote command injection attack.\r\n\r\n[caption id=\"attachment_128863\" align=\"aligncenter\" width=\"678\"] Figure 19. CVE-2023-27240 exploit in the wild.[\/caption]\r\n\r\nCCTV\/DVR Remote Code Execution\r\n\r\nThis exploit traffic was detected on March 14, 2023. The exploit targets a remote code execution in multiple CCTV\/DVR devices\u2019 \/language components. The component does not successfully sanitize the value of the HTTP parameter.\r\n\r\n[caption id=\"attachment_128865\" align=\"aligncenter\" width=\"678\"] Figure 20. CCTV\/DVR exploit in the wild.[\/caption]\r\n\r\nEnGenius EnShare Remote Code Execution Vulnerability\r\n\r\nWe detected this exploit traffic on April 12, 2023. The exploit works due to the \/cgi-bin\/usbinteract.cgi component of the EnGenius EnShare device failing to sanitize the value of the HTTP parameter path.\r\n\r\n[caption id=\"attachment_128867\" align=\"aligncenter\" width=\"678\"] Figure 21. EnGenius Enshare exploit in the wild.[\/caption]\r\n\r\nMVPower DVR Shell Unauthenticated Command Execution Vulnerability\r\n\r\nThis malicious traffic was captured on April 11, 2023. The exploit works due to the MVPower DVR failing to sanitize user input, which in turn could lead to remote command execution.\r\n\r\n[caption id=\"attachment_128869\" align=\"aligncenter\" width=\"678\"] Figure 22. MVPower DVR exploit in the wild.[\/caption]\r\n\r\nNetgear DGN1000 Remote Code Execution Vulnerability\r\n\r\nWe captured this exploit traffic on March 14, 2023. The exploit targets the setup.cgi component of Netgear DGN1000. The component does not sanitize the value of the HTTP parameter cmd, which leads to remote code execution.\r\n\r\n[caption id=\"attachment_128871\" align=\"aligncenter\" width=\"678\"] Figure 23. Netgear exploit in the wild.[\/caption]\r\n\r\nVacron NVR Remote Code Execution Vulnerability\r\n\r\nWe observed this exploit traffic on March 14, 2023. The exploit targets the Vacron NVR device\u2019s board.cgi component. If insufficient input validation is found, the attacker can exploit the vulnerability to launch a remote code execution attack.\r\n\r\n[caption id=\"attachment_128873\" align=\"aligncenter\" width=\"678\"] Figure 24. Vacron NVR exploit in the wild.[\/caption]\r\n\r\nMediaTek WiMAX Remote Code Execution\r\n\r\nThe exploit traffic was first detected as a part of a campaign on April 12, 2023. The remote code execution vulnerability is due to the failure to sanitize the value of the SYSLOGD_REMOTE_HOST parameter in the user.cgi interface of a MediaTek WiMAX device.\r\n\r\n[caption id=\"attachment_128875\" align=\"aligncenter\" width=\"678\"] Figure 25. MediaTek WiMAX exploit in the wild.[\/caption]","publisher":{"@type":"Organization","@id":"#panworg"},"image":{"@type":"ImageObject","url":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2023\/06\/Unit42-blog-2by1-characters-r4d1-2020_IoT-green.png","width":150,"height":75},"author":[{"@type":"Person","name":"Chao Lei"},{"@type":"Person","name":"Zhibin Zhang"},{"@type":"Person","name":"Yiheng An"},{"@type":"Person","name":"Cecilia Hu"}]}</script><link rel='stylesheet' id='crayon-css' href='https://unit42.paloaltonetworks.com/wp-content/plugins/crayon-syntax-highlighter/css/min/crayon.min.css?ver=_2.7.2_beta' type='text/css' media='all' />
<link rel='stylesheet' id='wp-block-library-css' href='https://unit42.paloaltonetworks.com/wp-includes/css/dist/block-library/style.min.css?ver=6.1.1' type='text/css' media='all' />
<link rel='stylesheet' id='classic-theme-styles-css' href='https://unit42.paloaltonetworks.com/wp-includes/css/classic-themes.min.css?ver=1' type='text/css' media='all' />
<style id='global-styles-inline-css' type='text/css'>
body{--wp--preset--color--black: #000000;--wp--preset--color--cyan-bluish-gray: #abb8c3;--wp--preset--color--white: #ffffff;--wp--preset--color--pale-pink: #f78da7;--wp--preset--color--vivid-red: #cf2e2e;--wp--preset--color--luminous-vivid-orange: #ff6900;--wp--preset--color--luminous-vivid-amber: #fcb900;--wp--preset--color--light-green-cyan: #7bdcb5;--wp--preset--color--vivid-green-cyan: #00d084;--wp--preset--color--pale-cyan-blue: #8ed1fc;--wp--preset--color--vivid-cyan-blue: #0693e3;--wp--preset--color--vivid-purple: #9b51e0;--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple: linear-gradient(135deg,rgba(6,147,227,1) 0%,rgb(155,81,224) 100%);--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan: linear-gradient(135deg,rgb(122,220,180) 0%,rgb(0,208,130) 100%);--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange: linear-gradient(135deg,rgba(252,185,0,1) 0%,rgba(255,105,0,1) 100%);--wp--preset--gradient--luminous-vivid-orange-to-vivid-red: linear-gradient(135deg,rgba(255,105,0,1) 0%,rgb(207,46,46) 100%);--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray: linear-gradient(135deg,rgb(238,238,238) 0%,rgb(169,184,195) 100%);--wp--preset--gradient--cool-to-warm-spectrum: linear-gradient(135deg,rgb(74,234,220) 0%,rgb(151,120,209) 20%,rgb(207,42,186) 40%,rgb(238,44,130) 60%,rgb(251,105,98) 80%,rgb(254,248,76) 100%);--wp--preset--gradient--blush-light-purple: linear-gradient(135deg,rgb(255,206,236) 0%,rgb(152,150,240) 100%);--wp--preset--gradient--blush-bordeaux: linear-gradient(135deg,rgb(254,205,165) 0%,rgb(254,45,45) 50%,rgb(107,0,62) 100%);--wp--preset--gradient--luminous-dusk: linear-gradient(135deg,rgb(255,203,112) 0%,rgb(199,81,192) 50%,rgb(65,88,208) 100%);--wp--preset--gradient--pale-ocean: linear-gradient(135deg,rgb(255,245,203) 0%,rgb(182,227,212) 50%,rgb(51,167,181) 100%);--wp--preset--gradient--electric-grass: linear-gradient(135deg,rgb(202,248,128) 0%,rgb(113,206,126) 100%);--wp--preset--gradient--midnight: linear-gradient(135deg,rgb(2,3,129) 0%,rgb(40,116,252) 100%);--wp--preset--duotone--dark-grayscale: url('#wp-duotone-dark-grayscale');--wp--preset--duotone--grayscale: url('#wp-duotone-grayscale');--wp--preset--duotone--purple-yellow: url('#wp-duotone-purple-yellow');--wp--preset--duotone--blue-red: url('#wp-duotone-blue-red');--wp--preset--duotone--midnight: url('#wp-duotone-midnight');--wp--preset--duotone--magenta-yellow: url('#wp-duotone-magenta-yellow');--wp--preset--duotone--purple-green: url('#wp-duotone-purple-green');--wp--preset--duotone--blue-orange: url('#wp-duotone-blue-orange');--wp--preset--font-size--small: 13px;--wp--preset--font-size--medium: 20px;--wp--preset--font-size--large: 36px;--wp--preset--font-size--x-large: 42px;--wp--preset--spacing--20: 0.44rem;--wp--preset--spacing--30: 0.67rem;--wp--preset--spacing--40: 1rem;--wp--preset--spacing--50: 1.5rem;--wp--preset--spacing--60: 2.25rem;--wp--preset--spacing--70: 3.38rem;--wp--preset--spacing--80: 5.06rem;}:where(.is-layout-flex){gap: 0.5em;}body .is-layout-flow > .alignleft{float: left;margin-inline-start: 0;margin-inline-end: 2em;}body .is-layout-flow > .alignright{float: right;margin-inline-start: 2em;margin-inline-end: 0;}body .is-layout-flow > .aligncenter{margin-left: auto !important;margin-right: auto !important;}body .is-layout-constrained > .alignleft{float: left;margin-inline-start: 0;margin-inline-end: 2em;}body .is-layout-constrained > .alignright{float: right;margin-inline-start: 2em;margin-inline-end: 0;}body .is-layout-constrained > .aligncenter{margin-left: auto !important;margin-right: auto !important;}body .is-layout-constrained > :where(:not(.alignleft):not(.alignright):not(.alignfull)){max-width: var(--wp--style--global--content-size);margin-left: auto !important;margin-right: auto !important;}body .is-layout-constrained > .alignwide{max-width: var(--wp--style--global--wide-size);}body .is-layout-flex{display: flex;}body .is-layout-flex{flex-wrap: wrap;align-items: center;}body .is-layout-flex > *{margin: 0;}:where(.wp-block-columns.is-layout-flex){gap: 2em;}.has-black-color{color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-color{color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-color{color: var(--wp--preset--color--white) !important;}.has-pale-pink-color{color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-color{color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-color{color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-color{color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-color{color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-color{color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-color{color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-color{color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-color{color: var(--wp--preset--color--vivid-purple) !important;}.has-black-background-color{background-color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-background-color{background-color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-background-color{background-color: var(--wp--preset--color--white) !important;}.has-pale-pink-background-color{background-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-background-color{background-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-background-color{background-color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-background-color{background-color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-background-color{background-color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-background-color{background-color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-background-color{background-color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-background-color{background-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-background-color{background-color: var(--wp--preset--color--vivid-purple) !important;}.has-black-border-color{border-color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-border-color{border-color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-border-color{border-color: var(--wp--preset--color--white) !important;}.has-pale-pink-border-color{border-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-border-color{border-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-border-color{border-color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-border-color{border-color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-border-color{border-color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-border-color{border-color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-border-color{border-color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-border-color{border-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-border-color{border-color: var(--wp--preset--color--vivid-purple) !important;}.has-vivid-cyan-blue-to-vivid-purple-gradient-background{background: var(--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple) !important;}.has-light-green-cyan-to-vivid-green-cyan-gradient-background{background: var(--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan) !important;}.has-luminous-vivid-amber-to-luminous-vivid-orange-gradient-background{background: var(--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange) !important;}.has-luminous-vivid-orange-to-vivid-red-gradient-background{background: var(--wp--preset--gradient--luminous-vivid-orange-to-vivid-red) !important;}.has-very-light-gray-to-cyan-bluish-gray-gradient-background{background: var(--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray) !important;}.has-cool-to-warm-spectrum-gradient-background{background: var(--wp--preset--gradient--cool-to-warm-spectrum) !important;}.has-blush-light-purple-gradient-background{background: var(--wp--preset--gradient--blush-light-purple) !important;}.has-blush-bordeaux-gradient-background{background: var(--wp--preset--gradient--blush-bordeaux) !important;}.has-luminous-dusk-gradient-background{background: var(--wp--preset--gradient--luminous-dusk) !important;}.has-pale-ocean-gradient-background{background: var(--wp--preset--gradient--pale-ocean) !important;}.has-electric-grass-gradient-background{background: var(--wp--preset--gradient--electric-grass) !important;}.has-midnight-gradient-background{background: var(--wp--preset--gradient--midnight) !important;}.has-small-font-size{font-size: var(--wp--preset--font-size--small) !important;}.has-medium-font-size{font-size: var(--wp--preset--font-size--medium) !important;}.has-large-font-size{font-size: var(--wp--preset--font-size--large) !important;}.has-x-large-font-size{font-size: var(--wp--preset--font-size--x-large) !important;}
.wp-block-navigation a:where(:not(.wp-element-button)){color: inherit;}
:where(.wp-block-columns.is-layout-flex){gap: 2em;}
.wp-block-pullquote{font-size: 1.5em;line-height: 1.6;}
</style>
<link rel='stylesheet' id='dashicons-css' href='https://unit42.paloaltonetworks.com/wp-includes/css/dashicons.min.css?ver=6.1.1' type='text/css' media='all' />
<link rel='stylesheet' id='post-views-counter-frontend-css' href='https://unit42.paloaltonetworks.com/wp-content/plugins/post-views-counter/css/frontend.min.css?ver=1.3.12' type='text/css' media='all' />
<link rel='stylesheet' id='ppress-frontend-css' href='https://unit42.paloaltonetworks.com/wp-content/plugins/wp-user-avatar/assets/css/frontend.min.css?ver=4.4.1' type='text/css' media='all' />
<link rel='stylesheet' id='ppress-flatpickr-css' href='https://unit42.paloaltonetworks.com/wp-content/plugins/wp-user-avatar/assets/flatpickr/flatpickr.min.css?ver=4.4.1' type='text/css' media='all' />
<link rel='stylesheet' id='ppress-select2-css' href='https://unit42.paloaltonetworks.com/wp-content/plugins/wp-user-avatar/assets/select2/select2.min.css?ver=6.1.1' type='text/css' media='all' />
<link rel='stylesheet' id='wpml-legacy-horizontal-list-0-css' href='//unit42.paloaltonetworks.com/wp-content/plugins/sitepress-multilingual-cms/templates/language-switchers/legacy-list-horizontal/style.min.css?ver=1' type='text/css' media='all' />
<link rel='stylesheet' id='wpml-legacy-post-translations-0-css' href='//unit42.paloaltonetworks.com/wp-content/plugins/sitepress-multilingual-cms/templates/language-switchers/legacy-post-translations/style.min.css?ver=1' type='text/css' media='all' />
<link rel='stylesheet' id='wordpress-popular-posts-css-css' href='https://unit42.paloaltonetworks.com/wp-content/plugins/wordpress-popular-posts/assets/css/wpp.css?ver=5.5.1' type='text/css' media='all' />
<link rel='stylesheet' id='unit42/css-css' href='https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v5/dist/styles/main.css?v2' type='text/css' media='all' />
<script type='text/javascript' src='https://unit42.paloaltonetworks.com/wp-includes/js/jquery/jquery.min.js?ver=3.6.1' id='jquery-core-js'></script>
<script type='text/javascript' src='https://unit42.paloaltonetworks.com/wp-includes/js/jquery/jquery-migrate.min.js?ver=3.3.2' id='jquery-migrate-js'></script>
<script type='text/javascript' id='crayon_js-js-extra'>
/* <![CDATA[ */
var CrayonSyntaxSettings = {"version":"_2.7.2_beta","is_admin":"0","ajaxurl":"https:\/\/unit42.paloaltonetworks.com\/wp-admin\/admin-ajax.php","prefix":"crayon-","setting":"crayon-setting","selected":"crayon-setting-selected","changed":"crayon-setting-changed","special":"crayon-setting-special","orig_value":"data-orig-value","debug":""};
var CrayonSyntaxStrings = {"copy":"Press %s to Copy, %s to Paste","minimize":"Click To Expand Code"};
/* ]]> */
</script>
<script type='text/javascript' src='https://unit42.paloaltonetworks.com/wp-content/plugins/crayon-syntax-highlighter/js/min/crayon.min.js?ver=_2.7.2_beta' id='crayon_js-js'></script>
<script type='text/javascript' src='https://unit42.paloaltonetworks.com/wp-content/plugins/wp-user-avatar/assets/flatpickr/flatpickr.min.js?ver=4.4.1' id='ppress-flatpickr-js'></script>
<script type='text/javascript' src='https://unit42.paloaltonetworks.com/wp-content/plugins/wp-user-avatar/assets/select2/select2.min.js?ver=4.4.1' id='ppress-select2-js'></script>
<script type='application/json' id='wpp-json'>
{"sampling_active":0,"sampling_rate":100,"ajax_url":"https:\/\/unit42.paloaltonetworks.com\/wp-json\/wordpress-popular-posts\/v1\/popular-posts","api_url":"https:\/\/unit42.paloaltonetworks.com\/wp-json\/wordpress-popular-posts","ID":128774,"token":"6094d75eff","lang":0,"debug":0}
</script>
<script type='text/javascript' src='https://unit42.paloaltonetworks.com/wp-content/plugins/wordpress-popular-posts/assets/js/wpp.min.js?ver=5.5.1' id='wpp-js-js'></script>
<script type='text/javascript' id='wpml-xdomain-data-js-extra'>
/* <![CDATA[ */
var wpml_xdomain_data = {"css_selector":"wpml-ls-item","ajax_url":"https:\/\/unit42.paloaltonetworks.com\/wp-admin\/admin-ajax.php","current_lang":"en"};
/* ]]> */
</script>
<script type='text/javascript' src='https://unit42.paloaltonetworks.com/wp-content/plugins/sitepress-multilingual-cms/res/js/xdomain-data.js?ver=4.5.14' id='wpml-xdomain-data-js'></script>
<link rel="https://api.w.org/" href="https://unit42.paloaltonetworks.com/wp-json/" /><link rel="alternate" type="application/json" href="https://unit42.paloaltonetworks.com/wp-json/wp/v2/posts/128774" /><link rel="EditURI" type="application/rsd+xml" title="RSD" href="https://unit42.paloaltonetworks.com/xmlrpc.php?rsd" />
<link rel="wlwmanifest" type="application/wlwmanifest+xml" href="https://unit42.paloaltonetworks.com/wp-includes/wlwmanifest.xml" />
<meta name="generator" content="WordPress 6.1.1" />
<link rel='shortlink' href='https://unit42.paloaltonetworks.com/?p=128774' />
<link rel="alternate" type="application/json+oembed" href="https://unit42.paloaltonetworks.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Funit42.paloaltonetworks.com%2Fmirai-variant-targets-iot-exploits%2F" />
<link rel="alternate" type="text/xml+oembed" href="https://unit42.paloaltonetworks.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Funit42.paloaltonetworks.com%2Fmirai-variant-targets-iot-exploits%2F&#038;format=xml" />
<meta name="generator" content="WPML ver:4.5.14 stt:1,28;" />
<meta name="google-site-verification" content="zHZtYOWm9hm4SZgsH7wqiYcOwmsAsxDUDU4UD1QxB40" /><style>#wpdevart_lb_overlay{background-color:#000000;} #wpdevart_lb_overlay.wpdevart_opacity{opacity:0.8 !important;} #wpdevart_lb_main_desc{
				 -webkit-transition: opacity 0.3s ease;
				 -moz-transition: opacity 0.3s ease;
				 -o-transition: opacity 0.3s ease;
				 transition: opacity 0.3s ease;} #wpdevart_lb_information_content{
				 -webkit-transition: opacity 0.3s ease;
				 -moz-transition: opacity 0.3s ease;
				 -o-transition: opacity 0.3s ease;
				 transition: opacity 0.3s ease;}
		#wpdevart_lb_information_content{
			width:100%;	
			padding-top:0px;
			padding-bottom:0px;
		}
		#wpdevart_info_counter_of_imgs{
			    display: inline-block;
				padding-left:15px;
				padding-right:4px;
				font-size:20px;
				color:#000000;
		}
		#wpdevart_info_caption{
			    display: inline-block;
				padding-left:15px;
				padding-right:4px;
				font-size:20px;
				color:#000000;
		}
		#wpdevart_info_title{
			    display: inline-block;
				padding-left:5px;
				padding-right:5px;
				font-size:15px;
				color:#000000;
		}
		@-webkit-keyframes rotate {
			to   {-webkit-transform: rotate(360deg);}
			from  {-webkit-transform: rotate(0deg);}
		}
		@keyframes rotate {
			to   {transform: rotate(360deg);}
			from  {transform: rotate(0deg);}
		}
		#wpdevart_lb_loading_img,#wpdevart_lb_loading_img_first{
			-webkit-animation: rotate 2s linear  infinite;
    		animation: rotate 2s linear infinite;
		}
	  </style>                  <style id="wpp-loading-animation-styles">@-webkit-keyframes bgslide{from{background-position-x:0}to{background-position-x:-200%}}@keyframes bgslide{from{background-position-x:0}to{background-position-x:-200%}}.wpp-widget-placeholder,.wpp-widget-block-placeholder{margin:0 auto;width:60px;height:3px;background:#dd3737;background:linear-gradient(90deg,#dd3737 0%,#571313 10%,#dd3737 100%);background-size:200% auto;border-radius:3px;-webkit-animation:bgslide 1s infinite linear;animation:bgslide 1s infinite linear}</style>
              <script>var $ = jQuery;</script>
  
  
<script type="text/javascript">
;(function(win, doc, style, timeout) {
var STYLE_ID = 'at-body-style';
function getParent() {
return doc.getElementsByTagName('head')[0];
}
function addStyle(parent, id, def) {
if (!parent) {
return;
}
var style = doc.createElement('style');
style.id = id;
style.innerHTML = def;
parent.appendChild(style);
}
function removeStyle(parent, id) {
if (!parent) {
return;
}
var style = doc.getElementById(id);
if (!style) {
return;
}
parent.removeChild(style);
}
addStyle(getParent(), STYLE_ID, style);
setTimeout(function() {
removeStyle(getParent(), STYLE_ID);
}, timeout);
}(window, document, "body {visibility:hidden !important}", 3000));
</script>

<script src="//assets.adobedtm.com/9273d4aedcd2/0d76ae0322d7/launch-425c423d843b.min.js" async></script>
<script type="text/javascript" src="https://www.paloaltonetworks.com/content/dam/pan/en_US/includes/attribution.js"></script>
  

<script type="text/javascript">
    var isIE11 = !!navigator.userAgent.match(/Trident.*rv\:11\./);
if(isIE11){
    var polyfill = 'https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v5/dist/scripts/polyfill.min.js';
    document.write('<script type="text/javascript" src="'+polyfill+'">\x3C/script>');

}
    /**
 * String.prototype.replaceAll() polyfill
 * https://gomakethings.com/how-to-replace-a-section-of-a-string-with-another-one-with-vanilla-js/
 * @author Chris Ferdinandi
 * @license MIT
 */
if (!String.prototype.replaceAll) {
	String.prototype.replaceAll = function(str, newStr){

		// If a regex pattern
		if (Object.prototype.toString.call(str).toLowerCase() === '[object regexp]') {
			return this.replace(str, newStr);
		}

		// If a string
		return this.replace(new RegExp(str, 'g'), newStr);

	};
}


    /*! lozad.js - v1.16.0 - 2020-09-06 */
!function(t,e){"object"==typeof exports&&"undefined"!=typeof module?module.exports=e():"function"==typeof define&&define.amd?define(e):t.lozad=e()}(this,function(){"use strict";
/**
   * Detect IE browser
   * @const {boolean}
   * @private
   */var g="undefined"!=typeof document&&document.documentMode,f={rootMargin:"0px",threshold:0,load:function(t){if("picture"===t.nodeName.toLowerCase()){var e=t.querySelector("img"),r=!1;null===e&&(e=document.createElement("img"),r=!0),g&&t.getAttribute("data-iesrc")&&(e.src=t.getAttribute("data-iesrc")),t.getAttribute("data-alt")&&(e.alt=t.getAttribute("data-alt")),r&&t.append(e)}if("video"===t.nodeName.toLowerCase()&&!t.getAttribute("data-src")&&t.children){for(var a=t.children,o=void 0,i=0;i<=a.length-1;i++)(o=a[i].getAttribute("data-src"))&&(a[i].src=o);t.load()}t.getAttribute("data-poster")&&(t.poster=t.getAttribute("data-poster")),t.getAttribute("data-src")&&(t.src=t.getAttribute("data-src")),t.getAttribute("data-srcset")&&t.setAttribute("srcset",t.getAttribute("data-srcset"));var n=",";if(t.getAttribute("data-background-delimiter")&&(n=t.getAttribute("data-background-delimiter")),t.getAttribute("data-background-image"))t.style.backgroundImage="url('"+t.getAttribute("data-background-image").split(n).join("'),url('")+"')";else if(t.getAttribute("data-background-image-set")){var d=t.getAttribute("data-background-image-set").split(n),u=d[0].substr(0,d[0].indexOf(" "))||d[0];// Substring before ... 1x
u=-1===u.indexOf("url(")?"url("+u+")":u,1===d.length?t.style.backgroundImage=u:t.setAttribute("style",(t.getAttribute("style")||"")+"background-image: "+u+"; background-image: -webkit-image-set("+d+"); background-image: image-set("+d+")")}t.getAttribute("data-toggle-class")&&t.classList.toggle(t.getAttribute("data-toggle-class"))},loaded:function(){}};function A(t){t.setAttribute("data-loaded",!0)}var m=function(t){return"true"===t.getAttribute("data-loaded")},v=function(t){var e=1<arguments.length&&void 0!==arguments[1]?arguments[1]:document;return t instanceof Element?[t]:t instanceof NodeList?t:e.querySelectorAll(t)};return function(){var r,a,o=0<arguments.length&&void 0!==arguments[0]?arguments[0]:".lozad",t=1<arguments.length&&void 0!==arguments[1]?arguments[1]:{},e=Object.assign({},f,t),i=e.root,n=e.rootMargin,d=e.threshold,u=e.load,g=e.loaded,s=void 0;"undefined"!=typeof window&&window.IntersectionObserver&&(s=new IntersectionObserver((r=u,a=g,function(t,e){t.forEach(function(t){(0<t.intersectionRatio||t.isIntersecting)&&(e.unobserve(t.target),m(t.target)||(r(t.target),A(t.target),a(t.target)))})}),{root:i,rootMargin:n,threshold:d}));for(var c,l=v(o,i),b=0;b<l.length;b++)(c=l[b]).getAttribute("data-placeholder-background")&&(c.style.background=c.getAttribute("data-placeholder-background"));return{observe:function(){for(var t=v(o,i),e=0;e<t.length;e++)m(t[e])||(s?s.observe(t[e]):(u(t[e]),A(t[e]),g(t[e])))},triggerLoad:function(t){m(t)||(u(t),A(t),g(t))},observer:s}}});

</script>
<script type="text/javascript">
var webData =

{ 

   channel : "unit42", //Place the site section the user is in

   property : "unit42.paloaltonetworks.com", //Place domain or sub-domain

   pageType : "blogs",

   language : "en_us",

   pageName : "unit42:IoT Under Siege: The Anatomy of the Latest Mirai Campaign Leveraging Multiple IoT Exploits", //Place the page name the user is viewing - every page needs a unique page name

   pageURL : "https://unit42.paloaltonetworks.com/mirai-variant-targets-iot-exploits/" //Place the url the user is viewing with no parameters

}
webData.resourceAssetID = "7a540c7c5137ca608d304362da70ddec";
if(sessionStorage.getItem("container") && webData){
	webData.container=sessionStorage.getItem("container");
}

</script>
</head>
  <body class="post-template-default single single-post postid-128774 single-format-standard">
    <!--[if IE]>
      <div class="alert alert-warning">
        You are using an <strong>outdated</strong> browser. Please <a href="http://browsehappy.com/">upgrade your browser</a> to improve your experience.      </div>
    <![endif]-->
    <style type="text/css">
	.pan-page-alert {
		height: 60px;
	    width: 100%;
	    background-color: #f4f4f2;
	    text-align: center;
	    position: relative;
	    top: 0;
	    left: 0;
	    right: 0;
	    line-height: 20px;
	    display: flex;
	    align-items: center;
	    justify-content: space-between;
	    z-index: 999;
	    padding: 0;
	    display: none;
	}
	.pan-page-alert.open {
		display: flex;
		z-index: 1;
	}
	.pan-page-alert .pan-page-alert-text {
		flex-grow: 1;
	    color: #141414;
	    font-family: Decimal,Arial,"Helvetica Neue",Helvetica,sans-serif;
	    font-style: normal;
	    font-weight: 600;
	    line-height: 20px;
	}
	.pan-page-alert .pan-page-alert-text a {
		color: #bd4122;
		text-decoration: none;
		border-bottom: 2px solid #bd4122;
	}
	.pan-page-alert .pan-page-alert-close {
		margin: 0 15px;
		width: 24px;
		height: 24px;
		border-radius: 24px;
		background-size: contain;
		background-repeat: no-repeat;
		background-position: center;
		/**background-image: url(https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/x-black.svg);
		 * */
		border: 0;
		background-color: transparent;
	}
	
	@media(max-width: 1199.98px){
		.panClean .pan-page-alert .pan-page-alert-text {
			text-align: left;
			padding-left: calc(7.14285714vw + 15px);
		}
		.pan-page-alert .pan-page-alert-text {
	    	font-size: 14px;
	    }
	}
	.productNav2021Component .btn-light i, .productNav2021Component .btn-outline-light i {
	    width: 20px;
	    height: 20px;
	    margin-left: 15px;
	    flex-grow: 0;
	    flex-shrink: 0;
	    display: inline-block;
	    background-size: contain;
	    background-position: center;
	    background-repeat: no-repeat;
	    background-image: url(https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg);
	}
	.productNav2021Component .btn-light, .productNav2021Component .btn-outline-light {
	    display: inline-flex;
	    align-items: center;
	    text-decoration: none;
	    max-width: 100%;
	    text-align: left;
	    background: 0;
	    color: #141414;
	    position: relative;
	}
	.productNav2021Component .btn-light:hover, .productNav2021Component .btn-outline-light:hover {
	    color: #7a7a7a;
	}
	.productNav2021Component .btn{
	   white-space: normal; 
	}
	.productNav2021Component .btn-light:hover i, .productNav2021Component .btn-outline-light:hover i{
	    opacity: .6;
	}
	@media(min-width: 1200px){
		.pan-page-alert .pan-page-alert-text {
	    	font-size: 16px;
	    }
	}
</style>

	<!--<div class="pan-page-alert pan-page-alert-light" id="info-alert-top1">
                <div class="pan-page-alert-text"><a href="https://www.paloaltonetworks.com/russia-ukraine-cyber-resources" target="_blank" style="color:#bd4122;border-color:#bd4122;" data-page-track="true" data-page-track-value="russiaukrainerapidresponse:unit42site:topnav:ticker">Protect Against Russia-Ukraine Cyber Activity</a></div>
		<button type="button" class="pan-page-alert-close" aria-label="page alert close">
            <svg width="12" height="12" viewBox="0 0 12 12" fill="none" xmlns="http://www.w3.org/2000/svg">
              <path d="M1 1L6 6M6 6L11 1M6 6L1 11M6 6L11 11" stroke="#727272" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"></path>
            </svg>
          </button>
    </div>
    <script type="text/javascript">
        
        //Hide/Show top ribbon
          if(localStorage.getItem('top_ribbon_closed') == null){
            document.getElementById('info-alert-top1').classList.add("open");            
          }
          
          $(".pan-page-alert-close").click(function(){
            $("#nav-mobile").css("top", "72px");
          });
          
        $(".pan-page-alert-close").click(function(){
        		$( "#nav-mobile" ).addClass( "add-nav-height" );
  		});
  
          $(document).on('click', '.pan-page-alert .pan-page-alert-close', function (ev) {            
		document.getElementById('info-alert-top1').classList.remove("open");            
		localStorage.setItem('top_ribbon_closed', "yes");
	});
          
    </script>-->
<header class="haeder py-15 position-relative z-index-2" style="display: none;">
  <div class="container px-sm-30 px-35">
    <div class="row">
      <div class="first-logo col-sm-auto col-6 mb-sm-0 mb-40 text-sm-center order-1">
                  <a href="https://www.paloaltonetworks.com/">
<!--<img src="/wp-content/uploads/2019/07/paloaltonetwork.svg" class="attachment-full size-full" alt="" height="43" width="124" />-->
<img src="/wp-content/uploads/2021/07/PANW_Parent.png" width="140px" alt="Logo" />

</a>

      </div>

      <div class="col-sm-auto col-6 text-sm-center order-sm-2 order-4 second-logo-unit">
        <a href="https://unit42.paloaltonetworks.com/">
            <!--<img src="/wp-content/uploads/2019/07/unit42.svg" class="attachment-full size-full" alt="" height="35" width="105" />-->
            <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v5/dist/images/svg/unit42-logo-white.svg" class="attachment-full size-full" alt="Unit42 Logo"  width="150" height="35"/>
        </a>
      </div>

      <div class="col-auto d-sm-none ml-auto mb-40 order-2">
        <button class="btn__search" data-toggle="collapse" data-target="#search" aria-label="search"><i class="ui ui-1"></i></button>
      </div>

      <div id="search" class="collapse d-sm-block col-sm-auto col-12 ml-auto order-3">
        <div class="pt-sm-0 pt-20 pb-sm-0 pb-40 mt-sm-0 mt-n30">
                      <input type="search" placeholder="Search Unit 42" id="innerSearch" class="header__search" value="" required aria-label="Inner Search">
                  </div>
      </div>

      <div class="col-auto d-sm-none d-flex ml-auto align-items-center order-5">
        <button class="btn__menu rounded" data-toggle="collapse" data-target="#navigation">Menu</button>
      </div>
    </div>
  </div>
</header>

<nav id="navigation" class="site-nav collapse d-sm-block pb-20 mt-sm-10"  style="display: none!important;">
  <div class="container px-sm-30">
    <ul id="menu-primary-navigation" class="main-menu d-sm-flex font-weight-medium"><li id="menu-item-97290" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-97290"><a href="https://unit42.paloaltonetworks.com/tools/">Tools</a></li>
<li id="menu-item-41" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-41"><a href="https://unit42.paloaltonetworks.com/atoms/">ATOMs</a></li>
<li id="menu-item-119884" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-119884"><a target="_blank" rel="noopener" href="https://www.paloaltonetworks.com/unit42">Security Consulting</a></li>
<li id="menu-item-81229" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-81229"><a href="https://unit42.paloaltonetworks.com/about-unit-42/">About Us</a></li>
<li id="menu-item-121229" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-121229"><a href="https://start.paloaltonetworks.com/contact-unit42.html"><b style="color:#C84727">Under Attack?</b></a></li>
</ul>  </div>
</nav>
<div class="panClean pan-template-home" id="main-nav-menu-cont" style="display:none;">
    <div class="cleanHeader mainNavigationComp baseComponent parbase">
        <div class="productNav2021Component dark default" id="PAN_2021_NAV_ASYNC"></div>

  </div>
<div class="cleanTopHtml htmlComp baseComponent parbase"><div class="base-component-spacer spacer-none  "></div>
</div>


</div>
<script type="text/javascript">
	function getCookie(cname) {
	 	var name = cname + "=";
  		var decodedCookie = decodeURIComponent(document.cookie);
		var ca = decodedCookie.split(';');
  		for(var i = 0; i <ca.length; i++) {
    			var c = ca[i];
    			while (c.charAt(0) == ' ') {
     				 c = c.substring(1);
    			}
    			if (c.indexOf(name) == 0) {
    				 return c.substring(name.length, c.length);
    			}
  		}
  		return "";
	}

	var referer = "";//sessionStorage.container;
	var pcontainer = sessionStorage.getItem("container");
	var searchResultsPagePath = "";
	/**
	if(document.location.host==='unit42.paloaltonetworks.com'){
		window.initialContainer = "Unit";
		window.supportedContainer = ["Prisma","Sase","Cortex","Unit"];
	}
	**/
	
	
	if(((pcontainer) && pcontainer.indexOf('Prisma')!=-1)){
	    referer = 'Prisma' ;
	}
        else if(((pcontainer) && pcontainer.indexOf('Cortex')!=-1)){
	    referer = 'Cortex' ;
	}
        else if(((pcontainer) && pcontainer.indexOf('Sase')!=-1)){
	    referer = 'Sase' ;
	}
	else if(((pcontainer) && pcontainer.indexOf('Unit')!=-1)){
	    referer = 'Unit' ;
	}
	else if(((pcontainer) && pcontainer.indexOf('Ngfw')!=-1)){
	    referer = 'Ngfw' ;
	}
        var fromRef = document.referrer;
	var nContainer = getCookie("navContainer");
        if(nContainer){//If user is coming from main site, we need to reset the container		
		if(fromRef  && fromRef.indexOf("prismacloud.io")!=-1){
                        referer = 'Prisma' ;
                        sessionStorage.setItem("container","Prisma");
                } else if(fromRef.indexOf("paloaltonetworks.com")!=-1 || fromRef.indexOf("paloaltonetworks.jp")!=-1 ){
                        if(nContainer.indexOf('Prisma') != -1){
                            referer = 'Prisma' ;
                            sessionStorage.setItem("container","Prisma");
                        }
                        if(nContainer.indexOf('Cortex') != -1){
                            referer = 'Cortex' ;
                            sessionStorage.setItem("container","Cortex");
                        }
			if(nContainer.indexOf('Sase') != -1){
                            referer = 'Sase' ;
                            sessionStorage.setItem("container","Sase");
                        }
			if(nContainer.indexOf('Unit') != -1){
                            referer = 'Unit' ;
                            sessionStorage.setItem("container","Unit");
                        }
			if(nContainer.indexOf('Ngfw') != -1){
                            referer = 'Ngfw' ;
                            sessionStorage.setItem("container","Ngfw");
                        }
			document.cookie = 'navContainer=; path=/; domain=.paloaltonetworks.com; expires=' + new Date(0).toUTCString();
		}
	}
    //var referer = "Prisma";//sessionStorage.container;
        console.log("referer"+referer);
        if(referer != "Prisma" && referer != "Cortex" && referer != "Sase" && referer != "Unit" && referer != "Ngfw"){
	    		referer = 'Unit' ;
                sessionStorage.setItem("container","Unit");  		    
	  
        }
function callMainSitePrismaNavHTML(){
    
   //var menu_url = 'https://www.paloaltonetworks.com/_jcr_content/globals/cleanHeaderPrisma.prismaRenderer.html';
   var referrer_domain = 'https://www.paloaltonetworks.com';
   sessionStorage.setItem("domain",referrer_domain);
   if(referer == 'Prisma'){
        var menu_url = referrer_domain+'/_jcr_content/globals/cleanHeaderPrisma.prismaRenderer.html';
		searchResultsPagePath = referrer_domain+"/search/prismasearch";
	    }
    if(referer == 'Cortex'){
        var menu_url = referrer_domain+'/_jcr_content/globals/cleanHeaderCortex.cortexRenderer.html';	
	searchResultsPagePath = referrer_domain+"/search/cortexsearch";	
    }
    if(referer == 'Sase'){
        var menu_url = referrer_domain+'/_jcr_content/globals/cleanHeaderSase.saseRenderer.html';
	searchResultsPagePath = referrer_domain+"/search/sasesearch";
    }
    if(referer == 'Unit'){
        //var menu_url = referrer_domain+'/_jcr_content/globals/cleanHeaderUnit.unitRenderer.html';
	var menu_url = 'https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v5/unit-nav-renderer.php';
	searchResultsPagePath = referrer_domain+"/content/pan/en_US/search/unit42search";
    }
    if(referer == 'Ngfw'){
        //var menu_url = referrer_domain+'/_jcr_content/globals/cleanHeaderNgfw.ngfwRenderer.html';
	var menu_url = 'https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v5/ngfw-cdss-nav-renderer.php';
	searchResultsPagePath = referrer_domain+"/search/ngfwcdsssearch";
    }
    httpGet(menu_url,'menu_html');
    document.getElementById('main-nav-menu-cont').removeAttribute("style");
}
function addStyle(styles) {
              
    /* Create style document */
    var css = document.createElement('style');
    css.type = 'text/css';

    if (css.styleSheet) 
        css.styleSheet.cssText = styles;
    else 
        css.appendChild(document.createTextNode(styles));

    /* Append style to the tag name */
    document.getElementsByTagName("head")[0].appendChild(css);
}
    function httpGet(theUrl,req_type)
    {
        if (window.XMLHttpRequest)
        {// code for IE7+, Firefox, Chrome, Opera, Safari
            xmlhttp=new XMLHttpRequest();
        }
        else
        {// code for IE6, IE5
            xmlhttp=new ActiveXObject("Microsoft.XMLHTTP");
        }
        xmlhttp.onreadystatechange=function()
        {
            if (xmlhttp.readyState==4 && xmlhttp.status==200)
            {
                //console.log();
                //return xmlhttp.responseText;
                
                if(req_type == 'menu_html'){
		    var nav_text = xmlhttp.responseText.replaceAll('https://static.cloud.coveo.com/searchui/v2.9159/js/CoveoJsSearch.Lazy.min.js', '');

                    nav_text = nav_text.replaceAll('src="/', 'src="'+maindomain_lang+'/');
		    nav_text = nav_text.replaceAll("'/content", "'"+maindomain_lang+"/content");
		                        
                    document.getElementById("PAN_2021_NAV_ASYNC").innerHTML = nav_text.replaceAll('href="/', 'href="'+maindomain_lang+'/');
		    
		    var lozad_back = document.getElementsByClassName('lozad-background');
		    Array.prototype.forEach.call(lozad_back, function(el) {
			// Do stuff here
			var el_back_img_path = el.getAttribute('data-background-image');
			var first_pos = el_back_img_path.indexOf("'");
			var last_pos = el_back_img_path.indexOf("'",first_pos+1);
			el_back_img_path = el_back_img_path.substring(first_pos+1,last_pos);
			el.setAttribute("data-background-image",main_site_url+el_back_img_path);
		    });
                }
                if(req_type == 'head_inline_css'){
                    addStyle(xmlhttp.responseText);
                }
                //document.getElementsByTagName("header")[1].removeAttribute("style");
                //document.getElementsByTagName("header")[1].classList.add("light");
            }
        }
        xmlhttp.open("GET", theUrl, false );
        xmlhttp.send();    
    }    
    
    if(referer == 'Prisma' || referer == 'Cortex' || referer == 'Sase' || referer == 'Unit' || referer == 'Ngfw'){
        const article = document.querySelector('#PAN_2021_NAV_ASYNC');
        if(referer == 'Prisma'){
            article.dataset.type = 'prisma';
	    $('#PAN_2021_NAV_ASYNC').removeClass('default').addClass('defaultRedesigned');
        }
        else if(referer == 'Cortex'){
            article.dataset.type = 'cortex';
        }
        else if(referer == 'Sase'){
            article.dataset.type = 'sase';
        }
	else if(referer == 'Unit'){
            article.dataset.type = 'unit';
        }
	else if(referer == 'Ngfw'){
            article.dataset.type = 'ngfw';
        }
	//set class to default
	if(referer == 'Unit' || referer == 'Ngfw'){
	   
	   $('#PAN_2021_NAV_ASYNC').removeClass('default').addClass('defaultRedesigned');
	}
        callMainSitePrismaNavHTML();        
    }
</script>


  <article class="article overflow-hidden">
    
<header class="article__header py-sm-25 pt-40 pb-25 bg-gray-700">
  <div class="container">
    
    <h1 class="article__header__title mb-sm-30 mb-40">IoT Under Siege: The Anatomy of the Latest Mirai Campaign Leveraging Multiple IoT Exploits</h1>

    <ul class="article__entry-meta d-flex flex-wrap align-items-center text-black">
      <li class="mr-10 mb-10 px-20 rounded-pill d-flex bg-gray-200"><div class="post-views content-post post-128774 entry-meta">
				<span class="post-views-count">26,750</span>
			</div> <span class="ml-5">people reacted</span></li>
      <li class="d-sm-none col-12 p-0"></li>
      <li class="mr-10 mb-10 px-20 rounded-pill bg-gray-200"><span class="ldc-ul_cont idc_ul_cont_not_liked_inner" onclick="alter_ul_post_values(this,'128774','like')"><i class="ui ui-2"></i><span class="ml-5">9</span></span></li>
      <li class="mb-10 px-20 rounded-pill bg-gray-200"><span class="span-reading-time rt-reading-time"><span class="rt-label rt-prefix"></span> <span class="rt-time"> 11</span> <span class="rt-label rt-postfix"></span></span> min. read</li>
    </ul>

    <div class="article__share position-relative">
      <div class="dropdown dropdown-right">
        <button type="button" class="px-25 text-black bg-white text-uppercase rounded-pill" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false">Share <i class="ui ui-6 ml-10 align-text-top"></i>
        </button>
        <div class="dropdown-menu rounded-pill" role="toolbar">
          <div class="share-dropdown px-20 py-10 text-black font-size-sm">
            <div class="row align-items-center flex-nowrap">
              <div class="col">
                <div class="d-flex align-items-center">
                  <a href="https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Funit42.paloaltonetworks.com%2Fmirai-variant-targets-iot-exploits%2F" target="_blank" aria-label="facebbok"><i class="ui ui-7"></i></a>
                  <a href="https://twitter.com/home?status=https%3A%2F%2Funit42.paloaltonetworks.com%2Fmirai-variant-targets-iot-exploits%2F+-+IoT+Under+Siege%3A+The+Anatomy+of+the+Latest+Mirai+Campaign+Leveraging+Multiple+IoT+Exploits" target="_blank" aria-label="twitter"><i class="ui ui-8"></i></a>
                  <a href="https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Funit42.paloaltonetworks.com%2Fmirai-variant-targets-iot-exploits%2F&title=IoT+Under+Siege%3A+The+Anatomy+of+the+Latest+Mirai+Campaign+Leveraging+Multiple+IoT+Exploits&summary=&source=" target="_blank" aria-label="linkedin"><i class="ui ui-9"></i></a>
                  <a href="//www.reddit.com/submit?url=https://unit42.paloaltonetworks.com/mirai-variant-targets-iot-exploits/" target="_blank" aria-label="reddit"><i class="ui ui-10"></i></a>
                </div>
              </div>
            </div>
          </div>
        </div>
      </div>
    </div>
  </div>
</header>    <div class="article__summary py-25 text-gray-500 font-size-sm">
  <div class="container">
    <div class="row align-items-center no-gutters">
      <div class="col-sm-auto col-12 mb-sm-0 mb-35">
        <i class="ui ui-11 text-gray-700 mr-sm-20"></i>
      </div>
  
      <div class="col-sm col-12">
        <p>
          By <a href="https://unit42.paloaltonetworks.com/author/chao-lei/" title="Posts by Chao Lei" class="author url fn" rel="author">Chao Lei</a>, <a href="https://unit42.paloaltonetworks.com/author/zhibin-zhang/" title="Posts by Zhibin Zhang" class="author url fn" rel="author">Zhibin Zhang</a>, <a href="https://unit42.paloaltonetworks.com/author/yiheng-an/" title="Posts by Yiheng An" class="author url fn" rel="author">Yiheng An</a> and <a href="https://unit42.paloaltonetworks.com/author/mengying-hu/" title="Posts by Cecilia Hu" class="author url fn" rel="author">Cecilia Hu</a>        </p>
        <p><time datetime="2023-06-22T13:00:03+00:00">June 22, 2023 at 6:00 AM</time></p>
        <p>Category: <a href="https://unit42.paloaltonetworks.com/category/malware-2/" rel="category tag">Malware</a></p>
        <p>Tags: <a href="https://unit42.paloaltonetworks.com/tag/advanced-threat-prevention/" rel="tag">Advanced Threat Prevention</a>, <a href="https://unit42.paloaltonetworks.com/tag/advanced-url-filtering/" rel="tag">Advanced URL Filtering</a>, <a href="https://unit42.paloaltonetworks.com/tag/botnet/" rel="tag">botnet</a>, <a href="https://unit42.paloaltonetworks.com/tag/cloud-delivered-security-services/" rel="tag">Cloud-Delivered Security Services</a>, <a href="https://unit42.paloaltonetworks.com/tag/cve-2019-12725/" rel="tag">CVE-2019-12725</a>, <a href="https://unit42.paloaltonetworks.com/tag/cve-2019-17621/" rel="tag">CVE-2019-17621</a>, <a href="https://unit42.paloaltonetworks.com/tag/cve-2019-20500/" rel="tag">CVE-2019-20500</a>, <a href="https://unit42.paloaltonetworks.com/tag/cve-2021-25296/" rel="tag">CVE-2021-25296</a>, <a href="https://unit42.paloaltonetworks.com/tag/cve-2021-46422/" rel="tag">CVE-2021-46422</a>, <a href="https://unit42.paloaltonetworks.com/tag/cve-2022-27002/" rel="tag">CVE-2022-27002</a>, <a href="https://unit42.paloaltonetworks.com/tag/cve-2022-29303/" rel="tag">CVE-2022-29303</a>, <a href="https://unit42.paloaltonetworks.com/tag/cve-2022-30023/" rel="tag">CVE-2022-30023</a>, <a href="https://unit42.paloaltonetworks.com/tag/cve-2022-30525/" rel="tag">CVE-2022-30525</a>, <a href="https://unit42.paloaltonetworks.com/tag/cve-2022-31499/" rel="tag">CVE-2022-31499</a>, <a href="https://unit42.paloaltonetworks.com/tag/cve-2022-36266/" rel="tag">CVE-2022-36266</a>, <a href="https://unit42.paloaltonetworks.com/tag/cve-2022-40005/" rel="tag">CVE-2022-40005</a>, <a href="https://unit42.paloaltonetworks.com/tag/cve-2022-45699/" rel="tag">CVE-2022-45699</a>, <a href="https://unit42.paloaltonetworks.com/tag/cve-2023-1389/" rel="tag">CVE-2023-1389</a>, <a href="https://unit42.paloaltonetworks.com/tag/cve-2023-25280/" rel="tag">CVE-2023-25280</a>, <a href="https://unit42.paloaltonetworks.com/tag/cve-2023-27240/" rel="tag">CVE-2023-27240</a>, <a href="https://unit42.paloaltonetworks.com/tag/iot/" rel="tag">IoT</a>, <a href="https://unit42.paloaltonetworks.com/tag/iot-security/" rel="tag">IoT Security</a>, <a href="https://unit42.paloaltonetworks.com/tag/mirai/" rel="tag">Mirai</a>, <a href="https://unit42.paloaltonetworks.com/tag/next-generation-firewall/" rel="tag">next-generation firewall</a>, <a href="https://unit42.paloaltonetworks.com/tag/wildfire/" rel="tag">WildFire</a></p>
      </div>
    </div>
  </div>
</div>    <div class="py-30 bg-white">
      <div class="container">
        <div class="article__content pb-30">
                      <figure class="mb-30 text-center">
              <img width="600" height="300" src="https://unit42.paloaltonetworks.com/wp-content/uploads/2023/06/Unit42-blog-2by1-characters-r4d1-2020_IoT-green.png" class="attachment-single size-single" alt="A pictorial representation of IoT vulnerabilities exploited by a Mirai variant. The Unit 42 logo." decoding="async" loading="lazy" />            </figure>
                    <p class="wpml-ls-statics-post_translations wpml-ls">This post is also available in: 
    <span class="wpml-ls-slot-post_translations wpml-ls-item wpml-ls-item-ja wpml-ls-first-item wpml-ls-last-item wpml-ls-item-legacy-post-translations"><a href="https://unit42.paloaltonetworks.jp/mirai-variant-targets-iot-exploits/" class="wpml-ls-link"><span class="wpml-ls-native" lang="ja">日本語</span><span class="wpml-ls-display"><span class="wpml-ls-bracket"> (</span>Japanese<span class="wpml-ls-bracket">)</span></span></a></span></p><h2><a id="post-128774-_4lt92rr5muov"></a>Executive Summary</h2>
<p>Since March 2023, Unit 42 researchers have observed threat actors leveraging several IoT vulnerabilities to spread a variant of the Mirai botnet. The vulnerabilities exploited include those listed in the following table:</p>
<table style="width: 94.0771%; height: 816px;">
<tbody>
<tr style="height: 24px;">
<td style="width: 31.3343%; text-align: center; height: 24px;"><b>CVE/Product</b></td>
<td style="width: 94.9026%; text-align: center; height: 24px;"><b>Description</b></td>
</tr>
<tr style="height: 24px;">
<td style="width: 31.3343%; height: 24px;"><a href="https://nvd.nist.gov/vuln/detail/CVE-2019-12725" target="_blank" rel="noopener"><span style="font-weight: 400;">CVE-2019-12725</span></a></td>
<td style="width: 94.9026%; height: 24px;"><span style="font-weight: 400;">Zeroshell Remote Command Execution Vulnerability</span></td>
</tr>
<tr style="height: 48px;">
<td style="width: 31.3343%; height: 48px;"><a href="https://nvd.nist.gov/vuln/detail/CVE-2019-17621" target="_blank" rel="noopener"><span style="font-weight: 400;">CVE-2019-17621</span></a></td>
<td style="width: 94.9026%; height: 48px;"><span style="font-weight: 400;">D-Link DIR-859 Remote Command Injection Vulnerability</span></td>
</tr>
<tr style="height: 48px;">
<td style="width: 31.3343%; height: 48px;"><a href="https://nvd.nist.gov/vuln/detail/CVE-2019-20500" target="_blank" rel="noopener"><span style="font-weight: 400;">CVE-2019-20500</span></a></td>
<td style="width: 94.9026%; height: 48px;"><span style="font-weight: 400;">D-Link DWL-2600AP Remote Command Execution Vulnerability</span></td>
</tr>
<tr style="height: 24px;">
<td style="width: 31.3343%; height: 24px;"><a href="https://nvd.nist.gov/vuln/detail/CVE-2021-25296" target="_blank" rel="noopener"><span style="font-weight: 400;">CVE-2021-25296</span></a></td>
<td style="width: 94.9026%; height: 24px;"><span style="font-weight: 400;">Nagios XI Remote Command Injection Vulnerability</span></td>
</tr>
<tr style="height: 48px;">
<td style="width: 31.3343%; height: 48px;"><a href="https://nvd.nist.gov/vuln/detail/CVE-2021-46422" target="_blank" rel="noopener"><span style="font-weight: 400;">CVE-2021-46422</span></a></td>
<td style="width: 94.9026%; height: 48px;"><span style="font-weight: 400;">Telesquare SDT-CW3B1 Router Command Injection Vulnerability</span></td>
</tr>
<tr style="height: 24px;">
<td style="width: 31.3343%; height: 24px;"><a href="https://nvd.nist.gov/vuln/detail/CVE-2022-27002" target="_blank" rel="noopener"><span style="font-weight: 400;">CVE-2022-27002</span></a></td>
<td style="width: 94.9026%; height: 24px;"><span style="font-weight: 400;">Arris TR3300 Remote Command Injection Vulnerability</span></td>
</tr>
<tr style="height: 24px;">
<td style="width: 31.3343%; height: 24px;"><a href="https://nvd.nist.gov/vuln/detail/CVE-2022-29303" target="_blank" rel="noopener"><span style="font-weight: 400;">CVE-2022-29303</span></a></td>
<td style="width: 94.9026%; height: 24px;"><span style="font-weight: 400;">SolarView Compact Command Injection Vulnerability</span></td>
</tr>
<tr style="height: 24px;">
<td style="width: 31.3343%; height: 24px;"><a href="https://nvd.nist.gov/vuln/detail/CVE-2022-30023" target="_blank" rel="noopener"><span style="font-weight: 400;">CVE-2022-30023</span></a></td>
<td style="width: 94.9026%; height: 24px;"><span style="font-weight: 400;">Tenda HG9 Router Command Injection Vulnerability</span></td>
</tr>
<tr style="height: 24px;">
<td style="width: 31.3343%; height: 24px;"><a href="https://nvd.nist.gov/vuln/detail/CVE-2022-30525" target="_blank" rel="noopener"><span style="font-weight: 400;">CVE-2022-30525</span></a></td>
<td style="width: 94.9026%; height: 24px;"><span style="font-weight: 400;">Zyxel Command Injection Vulnerability</span></td>
</tr>
<tr style="height: 24px;">
<td style="width: 31.3343%; height: 24px;"><a href="https://nvd.nist.gov/vuln/detail/CVE-2022-31499" target="_blank" rel="noopener"><span style="font-weight: 400;">CVE-2022-31499</span></a></td>
<td style="width: 94.9026%; height: 24px;"><span style="font-weight: 400;">Nortek Linear eMerge Command Injection Vulnerability</span></td>
</tr>
<tr style="height: 48px;">
<td style="width: 31.3343%; height: 48px;"><a href="https://nvd.nist.gov/vuln/detail/CVE-2022-37061" target="_blank" rel="noopener"><span style="font-weight: 400;">CVE-2022-37061</span></a></td>
<td style="width: 94.9026%; height: 48px;"><span style="font-weight: 400;">FLIR AX8 Unauthenticated OS Command Injection Vulnerability</span></td>
</tr>
<tr style="height: 48px;">
<td style="width: 31.3343%; height: 48px;"><a href="https://nvd.nist.gov/vuln/detail/CVE-2022-40005" target="_blank" rel="noopener"><span style="font-weight: 400;">CVE-2022-40005</span></a></td>
<td style="width: 94.9026%; height: 48px;"><span style="font-weight: 400;">Intelbras WiFiber 120 AC inMesh Command Injection Vulnerability</span></td>
</tr>
<tr style="height: 48px;">
<td style="width: 31.3343%; height: 48px;"><a href="https://nvd.nist.gov/vuln/detail/CVE-2022-45699" target="_blank" rel="noopener"><span style="font-weight: 400;">CVE-2022-45699</span></a></td>
<td style="width: 94.9026%; height: 48px;"><span style="font-weight: 400;">APsystems ECU-R Remote Command Execution Vulnerability</span></td>
</tr>
<tr style="height: 48px;">
<td style="width: 31.3343%; height: 48px;"><a href="https://nvd.nist.gov/vuln/detail/CVE-2023-1389" target="_blank" rel="noopener"><span style="font-weight: 400;">CVE-2023-1389</span></a></td>
<td style="width: 94.9026%; height: 48px;"><span style="font-weight: 400;">TP-Link Archer Router Command Injection Vulnerability</span></td>
</tr>
<tr style="height: 48px;">
<td style="width: 31.3343%; height: 48px;"><a href="https://nvd.nist.gov/vuln/detail/CVE-2023-25280" target="_blank" rel="noopener"><span style="font-weight: 400;">CVE-2023-25280</span></a></td>
<td style="width: 94.9026%; height: 48px;"><span style="font-weight: 400;">D-link DIR820LA1_FW105B03 Command injection vulnerability</span></td>
</tr>
<tr style="height: 24px;">
<td style="width: 31.3343%; height: 24px;"><a href="https://nvd.nist.gov/vuln/detail/CVE-2023-27240" target="_blank" rel="noopener"><span style="font-weight: 400;">CVE-2023-27240</span></a></td>
<td style="width: 94.9026%; height: 24px;"><span style="font-weight: 400;">Tenda AX3 Command Injection Vulnerability</span></td>
</tr>
<tr style="height: 24px;">
<td style="width: 31.3343%; height: 24px;"><a href="https://www.kerneronsec.com/2016/02/remote-code-execution-in-cctv-dvrs-of.html" target="_blank" rel="noopener"><span style="font-weight: 400;">CCTV/DVR</span></a></td>
<td style="width: 94.9026%; height: 24px;"><span style="font-weight: 400;">CCTV/DVR Remote Code Execution</span></td>
</tr>
<tr style="height: 48px;">
<td style="width: 31.3343%; height: 48px;"><a href="https://www.exploit-db.com/exploits/42114" target="_blank" rel="noopener"><span style="font-weight: 400;">EnGenius EnShare</span></a></td>
<td style="width: 94.9026%; height: 48px;"><span style="font-weight: 400;">EnGenius EnShare Remote Code Execution Vulnerability</span></td>
</tr>
<tr style="height: 48px;">
<td style="width: 31.3343%; height: 48px;"><a href="https://www.rapid7.com/db/modules/exploit/linux/http/mvpower_dvr_shell_exec" target="_blank" rel="noopener"><span style="font-weight: 400;">MVPower DVR</span></a></td>
<td style="width: 94.9026%; height: 48px;"><span style="font-weight: 400;">MVPower DVR Shell Unauthenticated Command Execution Vulnerability</span></td>
</tr>
<tr style="height: 48px;">
<td style="width: 31.3343%; height: 48px;"><a href="https://seclists.org/bugtraq/2013/Jun/8" target="_blank" rel="noopener"><span style="font-weight: 400;">Netgear DGN1000</span></a></td>
<td style="width: 94.9026%; height: 48px;"><span style="font-weight: 400;">Netgear DGN1000 Remote Code Execution Vulnerability</span></td>
</tr>
<tr style="height: 24px;">
<td style="width: 31.3343%; height: 24px;"><a href="https://ssd-disclosure.com/ssd-advisory-vacron-nvr-remote-command-execution/" target="_blank" rel="noopener"><span style="font-weight: 400;">Vacron NVR</span></a></td>
<td style="width: 94.9026%; height: 24px;"><span style="font-weight: 400;">Vacron NVR Remote Code Execution Vulnerability</span></td>
</tr>
<tr style="height: 24px;">
<td style="width: 31.3343%; height: 24px;"><a href="https://www.f5.com/labs/articles/threat-intelligence/brickerbot-do-good-intentions-justify-the-meansor-deliver-meaningful-results" target="_blank" rel="noopener"><span style="font-weight: 400;">MediaTek WiMAX</span></a></td>
<td style="width: 94.9026%; height: 24px;"><span style="font-weight: 400;">MediaTek WiMAX Remote Code Execution</span></td>
</tr>
</tbody>
</table>
<p>The threat actors have the ability to gain complete control over the compromised devices, integrating those devices into the botnet. These devices are then used to execute additional attacks, including distributed denial-of-service (DDoS) attacks.</p>
<p>Palo Alto Networks <a href="https://www.paloaltonetworks.com/network-security/next-generation-firewall" target="_blank" rel="noopener">Next-Generation Firewall</a> customers receive protection through <a href="https://www.paloaltonetworks.com/network-security/security-subscriptions" target="_blank" rel="noopener">Cloud-Delivered Security Services</a> such as <a href="https://www.paloaltonetworks.com/network-security/smart-devices-smarter-iot-security?utm_source=google-jg-amer-cdss&amp;utm_medium=paid_search&amp;utm_term=palo%20alto%20networks%20iot%20security&amp;utm_campaign=google-cdss-iot_security-amer-ca-awareness-en&amp;utm_content=gs-19633824690-151442986731-646705931499&amp;sfdcid=7014u000001hHCRAA2&amp;gclid=EAIaIQobChMI1Lm26OmS_QIVQUNyCh1G3gKWEAAYASAAEgJ3KvD_BwE" target="_blank" rel="noopener">Internet of Things (IoT) Security</a>, <a href="https://www.paloaltonetworks.com/network-security/advanced-threat-prevention" target="_blank" rel="noopener">Advanced Threat Prevention</a>, <a href="https://www.paloaltonetworks.com/network-security/advanced-wildfire" target="_blank" rel="noopener">WildFire</a> and <a href="https://www.paloaltonetworks.com/network-security/advanced-url-filtering" target="_blank" rel="noopener">Advanced URL Filtering</a>, which can help detect and block the exploit traffic and malware.</p>
<table style="width: 100%; height: 24px;">
<thead>
<tr style="height: 24px;">
<td style="width: 35%; height: 24px;"><b>Related Unit 42 Topics</b></td>
<td style="width: 100%; height: 24px;"><a href="https://unit42.paloaltonetworks.com/tag/IoT/" target="_blank" rel="noopener"><b>IoT</b></a>, <strong><a href="https://unit42.paloaltonetworks.com/tag/mirai/" target="_blank" rel="noopener">Mirai</a>, <a href="https://unit42.paloaltonetworks.com/tag/botnet" target="_blank" rel="noopener">botnet</a></strong></td>
</tr>
</thead>
</table>
<h2><a id="post-128774-_d07s5qswsv7d"></a>Table of Contents</h2>
<p><a href="#post-128774-_f71ef7pn9gyw">Campaign Analysis</a><br />
<a href="#post-128774-_wven14kmgum2">Malware Analysis</a><br />
<a href="#post-128774-_2an8ryq91inv">Conclusion</a><br />
<a href="#post-128774-_v8176g40kstn">Indicators of Compromise</a><br />
<a href="#post-128774-_iyoqpwvqf6qi">Shell Script Downloader Samples</a><br />
<a href="#post-128774-_763h15eckspk">Mirai Samples</a><br />
<a href="#post-128774-_6wew3cuhgk7k">Infrastructure</a><br />
<a href="#post-128774-_570cbe1pdhwx">Additional Resources</a><br />
<a href="#post-128774-_yx22q2dfuwix">Appendix</a></p>
<h2><a id="post-128774-_f71ef7pn9gyw"></a>Campaign Analysis</h2>
<p>On March 14, 2023, Unit 42 researchers observed some remote command execution exploit traffic from our internal threat-hunting system, originating from <span style="font-family: 'courier new', courier, monospace;">185.44.81[.]114</span>. The threat actor tried to download a shell script downloader as a file named <span style="font-family: 'courier new', courier, monospace;">y</span> from <span style="font-family: 'courier new', courier, monospace;">hxxp://zvub[.]us/</span>.</p>
<p>If executed, the shell script downloader would download and execute the following bot clients to accommodate different Linux architectures:</p>
<ul>
<li><span style="font-family: 'courier new', courier, monospace;">hxxp://185.225.74[.]251/armv4l</span></li>
<li><span style="font-family: 'courier new', courier, monospace;">hxxp://185.225.74[.]251/armv5l</span></li>
<li><span style="font-family: 'courier new', courier, monospace;">hxxp://185.225.74[.]251/armv6l</span></li>
<li><span style="font-family: 'courier new', courier, monospace;">hxxp://185.225.74[.]251/armv7l</span></li>
<li><span style="font-family: 'courier new', courier, monospace;">hxxp://185.225.74[.]251/mips</span></li>
<li><span style="font-family: 'courier new', courier, monospace;">hxxp://185.225.74[.]251/mipsel</span></li>
<li><span style="font-family: 'courier new', courier, monospace;">hxxp://185.225.74[.]251/sh4</span></li>
<li><span style="font-family: 'courier new', courier, monospace;">hxxp://185.225.74[.]251/x86_64</span></li>
<li><span style="font-family: 'courier new', courier, monospace;">hxxp://185.225.74[.]251/i686</span></li>
<li><span style="font-family: 'courier new', courier, monospace;">hxxp://185.225.74[.]251/i586</span></li>
<li><span style="font-family: 'courier new', courier, monospace;">hxxp://185.225.74[.]251/arc</span></li>
<li><span style="font-family: 'courier new', courier, monospace;">hxxp://185.225.74[.]251/m68k</span></li>
<li><span style="font-family: 'courier new', courier, monospace;">hxxp://185.225.74[.]251/sparc</span></li>
</ul>
<p>After executing the bot client, the shell script downloader will delete the client executable file to cover its tracks.</p>
<p>Unit 42 researchers conducted an analysis of the malware host domain and found out there are two IP addresses corresponding to the domain <span style="font-family: 'courier new', courier, monospace;">zvub[.]us</span>:</p>
<ul>
<li><span style="font-family: 'courier new', courier, monospace;">185.44.81[.]114</span> (From Aug. 15, 2022, to March 24, 2023)</li>
<li><span style="font-family: 'courier new', courier, monospace;">185.225.74[.]251</span> (After March 25, 2023)</li>
</ul>
<p>Upon conducting a thorough retrospective analysis, we noticed telnet brute force attempts from <span style="font-family: 'courier new', courier, monospace;">185.44.81[.]114</span> since Oct. 6, 2022, and attempts to exploit multiple vulnerabilities since March 14, 2023.</p>
<p>Unit 42 researchers also noticed another campaign from source IP <span style="font-family: 'courier new', courier, monospace;">193.32.162[.]189</span> since April 11, 2023, that delivers the same shell downloader from <span style="font-family: 'courier new', courier, monospace;">zvub[.]us</span>, as shown in Figure 1. Based on our analysis, we believe that the same threat actor operated these two campaigns for the following reasons:</p>
<ul>
<li>The two campaigns share the same infrastructure.</li>
<li>The botnet samples are almost identical.</li>
</ul>
<figure id="attachment_128827" aria-describedby="caption-attachment-128827" style="width: 900px" class="wp-caption aligncenter"><img decoding="async" class="wp-image-128827" src="https://unit42.paloaltonetworks.com/wp-content/uploads/2023/06/chart-3.png" alt="Image 1 is a chart of the vulnerability, exploit attempts from October 2022 to May 2023. The highest count is in April the highest counts are in April, 2023, with 821, and then in May 2023 with 924." width="900" height="518" /><figcaption id="caption-attachment-128827" class="wp-caption-text">Figure 1. Vulnerability exploit attempts.</figcaption></figure>
<p>Figure 2 is a diagram illustrating the campaign overview.</p>
<figure id="attachment_128829" aria-describedby="caption-attachment-128829" style="width: 900px" class="wp-caption aligncenter"><img decoding="async" loading="lazy" class="wp-image-128829" src="https://unit42.paloaltonetworks.com/wp-content/uploads/2023/06/word-image-128774-2-1.png" alt="Image 2 is a timeline of the campaign overview. It starts with the attack source, IP, and lists all of the exploits, including new exploits. It starts mid August, 2022, and flows through May 1, 2023." width="900" height="372" /><figcaption id="caption-attachment-128829" class="wp-caption-text">Figure 2. Campaign overview diagram.</figcaption></figure>
<h2><a id="post-128774-_wven14kmgum2"></a>Malware Analysis</h2>
<p>Based on behavior and patterns Unit 42 researchers observed while analyzing the downloaded botnet client samples, we believe the sample is a variant of the Mirai botnet.</p>
<p>Upon execution, the botnet client prints <span style="font-family: 'courier new', courier, monospace;">listening tun0</span> to the console. The malware also contains a function that ensures only one instance of this malware runs on the same device. If a botnet process already exists, the botnet client will terminate the current running process and start a new one.</p>
<p>For the botnet client configuration string, the Mirai variant (like <a href="https://unit42.paloaltonetworks.com/mirai-variant-iz1h9/">IZ1H9</a> and <a href="https://unit42.paloaltonetworks.com/mirai-variant-v3g4/">V3G4</a>) will first initialize an encrypted string table and then retrieve the strings through an index. However, this Mirai variant will directly access the encrypted strings in the <span style="font-family: 'courier new', courier, monospace;">.rodata</span> section via an index (as shown in Figure 3).</p>
<figure id="attachment_128831" aria-describedby="caption-attachment-128831" style="width: 541px" class="wp-caption aligncenter"><img decoding="async" loading="lazy" class="wp-image-128831" src="https://unit42.paloaltonetworks.com/wp-content/uploads/2023/06/word-image-128774-3-1.png" alt="Image 3 is a screenshot of the Mirai fairy and retrieving configurations strings. This is highlighted within a red box." width="541" height="469" /><figcaption id="caption-attachment-128831" class="wp-caption-text">Figure 3. Mirai variant retrieving configuration strings.</figcaption></figure>
<p>Also, notice that for Mirai variants like <a href="https://unit42.paloaltonetworks.com/mirai-variant-iz1h9/">IZ1H9</a> and <a href="https://unit42.paloaltonetworks.com/mirai-variant-v3g4/">V3G4</a>, the configuration contains a string that indicates the branch name of this variant (for example, <span style="font-family: 'courier new', courier, monospace;">/bin/busybox</span> <span style="font-family: 'courier new', courier, monospace;">IZ1H9</span>) while this variant does not have a branch name.</p>
<p>For the configuration decryption, this Mirai variant first uses a table key <span style="font-family: 'courier new', courier, monospace;">0xDEADBEEF</span> to generate a single-byte config decryption key <span style="font-family: 'courier new', courier, monospace;">0x22</span>, then for the encrypted configuration, the malware performs XOR decryption with the following bytewise operations:</p>
<p style="padding-left: 40px;"><span style="font-family: 'courier new', courier, monospace;">encrypted_char ^ 0x22 = decrypted_char</span></p>
<p>During the analysis, Unit 42 researchers noticed that this Mirai sample doesn’t contain the functionality to brute force telnet/SSH login credentials and exploit vulnerabilities, which means the only channels for spreading this variant are the botnet operator’s manual vulnerability exploitation attempts.</p>
<h2><a id="post-128774-_2an8ryq91inv"></a>Conclusion</h2>
<p>The widespread adoption of IoT devices has become a ubiquitous trend. However, the persistent security concerns surrounding these devices cannot be ignored. The Mirai botnet, discovered back in 2016, is still active today. A significant part of the reason for its popularity among threat actors lies in the security flaws of IoT devices.</p>
<p>These remote code execution vulnerabilities targeting IoT devices exhibit a combination of low complexity and high impact, making them an irresistible target for threat actors. As a result, protecting IoT devices against such threats becomes an urgent task.</p>
<p>To combat this threat, it is highly recommended that patches and updates are applied when possible.</p>
<p>Palo Alto Networks customers receive protection against vulnerabilities and malware through the following products and services:</p>
<ul>
<li>Next-Generation Firewall with a Threat Prevention security subscription can block the attacks with Best Practices via Threat Prevention signatures <a href="https://threatvault.paloaltonetworks.com/?query=30760">30760</a>, <a href="https://threatvault.paloaltonetworks.com/?query=37073">37073</a>, <a href="https://threatvault.paloaltonetworks.com/?query=37752">37752</a>, <a href="https://threatvault.paloaltonetworks.com/?query=54659">54659</a>, <a href="https://threatvault.paloaltonetworks.com/?query=54553">54553</a>, <a href="https://threatvault.paloaltonetworks.com/?query=54537">54537</a>, <a href="https://threatvault.paloaltonetworks.com/?query=54619">54619</a>, <a href="https://threatvault.paloaltonetworks.com/?query=58706">58706</a>, <a href="https://threatvault.paloaltonetworks.com/?query=57437">57437</a>, <a href="https://threatvault.paloaltonetworks.com/?query=55795">55795</a>, <a href="https://threatvault.paloaltonetworks.com/?query=57191">57191</a>, <a href="https://threatvault.paloaltonetworks.com/?query=90873">90873</a>, <a href="https://threatvault.paloaltonetworks.com/?query=92611">92611</a>, <a href="https://threatvault.paloaltonetworks.com/?query=93863">93863</a>, <a href="https://threatvault.paloaltonetworks.com/?query=92626">92626</a>, <a href="https://threatvault.paloaltonetworks.com/?query=92714">92714</a>, <a href="https://threatvault.paloaltonetworks.com/?query=93859">93859</a>, <a href="https://threatvault.paloaltonetworks.com/?query=92579">92579</a>, <a href="https://threatvault.paloaltonetworks.com/?query=93044">93044</a>, <a href="https://threatvault.paloaltonetworks.com/?query=93283">93283</a>, <a href="https://threatvault.paloaltonetworks.com/?query=93587">93587</a>, <a href="https://threatvault.paloaltonetworks.com/?query=93872">93872</a>, <a href="https://threatvault.paloaltonetworks.com/?query=93749">93749</a>, <a href="https://threatvault.paloaltonetworks.com/?query=93874">93874</a>, <a href="https://threatvault.paloaltonetworks.com/?query=93973">93973</a>.</li>
<li><a href="https://www.paloaltonetworks.com/network-security/advanced-threat-prevention">Advanced Threat Prevention</a> has an inbuilt machine learning-based security detection that can detect exploit traffic in real time.</li>
<li><a href="https://www.paloaltonetworks.com/products/secure-the-network/wildfire">WildFire</a> can stop the malware with static signature detections.</li>
<li><a href="https://www.paloaltonetworks.com/network-security/advanced-url-filtering">Advanced URL Filtering</a> and <a href="https://www.paloaltonetworks.com/network-security/dns-security">DNS Security</a> are able to block the C2 domain malware-hosting URLs.</li>
<li>The Palo Alto Networks IoT security platform can leverage network traffic information to identify the vendor, model and firmware version of a device and identify specific devices that are vulnerable to the aforementioned CVEs.</li>
<li>In addition, <a href="https://www.paloaltonetworks.com/network-security/iot-security">IoT Security</a> has an inbuilt machine learning-based anomaly detection that can alert the customer if a device exhibits nontypical behavior, such as the following:
<ul>
<li>The sudden appearance of traffic from a new source</li>
<li>An unusually high number of connections</li>
<li>An inexplicable surge of certain attributes typically appearing in IoT application payloads</li>
</ul>
</li>
</ul>
<p>Palo Alto Networks has shared our findings, including file samples and indicators of compromise, with our fellow Cyber Threat Alliance (CTA) members. CTA members use this intelligence to rapidly deploy protections to their customers and to systematically disrupt malicious cyber actors. Learn more about the <a class="c-link" href="https://www.cyberthreatalliance.org/" target="_blank" rel="noopener noreferrer" data-stringify-link="https://www.cyberthreatalliance.org/" data-sk="tooltip_parent">Cyber Threat Alliance</a>.</p>
<h2><a id="post-128774-_v8176g40kstn"></a>Indicators of Compromise</h2>
<h3><a id="post-128774-_iyoqpwvqf6qi"></a>Shell Script Downloader Samples</h3>
<ul>
<li><span style="font-family: 'courier new', courier, monospace;">888f4a852642ce70197f77e213456ea2b3cfca4a592b94647827ca45adf2a5b8</span></li>
</ul>
<h3><a id="post-128774-_763h15eckspk"></a>Mirai Samples</h3>
<ul>
<li><span style="font-family: 'courier new', courier, monospace;">b43a8a56c10ba17ddd6fa9a8ce10ab264c6495b82a38620e9d54d66ec8677b0c</span></li>
<li><span style="font-family: 'courier new', courier, monospace;">b45142a2d59d16991a38ea0a112078a6ce42c9e2ee28a74fb2ce7e1edf15dce3</span></li>
<li><span style="font-family: 'courier new', courier, monospace;">366ddbaa36791cdb99cf7104b0914a258f0c373a94f6cf869f946c7799d5e2c6</span></li>
<li><span style="font-family: 'courier new', courier, monospace;">413e977ae7d359e2ea7fe32db73fa007ee97ee1e9e3c3f0b4163b100b3ec87c2</span></li>
<li><span style="font-family: 'courier new', courier, monospace;">2d0c8ab6c71743af8667c7318a6d8e16c144ace8df59a681a0a7d48affc05599</span></li>
<li><span style="font-family: 'courier new', courier, monospace;">4cb8c90d1e1b2d725c2c1366700f11584f5697c9ef50d79e00f7dd2008e989a0</span></li>
<li><span style="font-family: 'courier new', courier, monospace;">461f59a84ccb4805c4bbd37093df6e8791cdf1151b2746c46678dfe9f89ac79d</span></li>
<li><span style="font-family: 'courier new', courier, monospace;">aed078d3e65b5ff4dd4067ae30da5f3a96c87ec23ec5be44fc85b543c179b777</span></li>
<li><span style="font-family: 'courier new', courier, monospace;">0d404a27c2f511ea7f4adb8aa150f787b2b1ff36c1b67923d6d1c90179033915</span></li>
<li><span style="font-family: 'courier new', courier, monospace;">eca42235a41dbd60615d91d564c91933b9903af2ef3f8356ec4cfff2880a2f19</span></li>
<li><span style="font-family: 'courier new', courier, monospace;">3f427eda4d4e18fb192d585fca1490389a1b5f796f88e7ebf3eceec51018ef4d</span></li>
<li><span style="font-family: 'courier new', courier, monospace;">aaf446e4e7bfc05a33c8d9e5acf56b1c7e95f2d919b98151ff2db327c333f089</span></li>
<li><span style="font-family: 'courier new', courier, monospace;">4f53eb7fbfa5b68cad3a0850b570cbbcb2d4864e62b5bf0492b54bde2bdbe44b</span></li>
</ul>
<h3><a id="post-128774-_6wew3cuhgk7k"></a>Infrastructure</h3>
<ul>
<li><span style="font-family: 'courier new', courier, monospace;">zvub[.]us</span></li>
<li><span style="font-family: 'courier new', courier, monospace;">185.225.74[.]251</span></li>
<li><span style="font-family: 'courier new', courier, monospace;">185.44.81[.]114</span></li>
<li><span style="font-family: 'courier new', courier, monospace;">193.32.162[.]189</span></li>
</ul>
<h2><a id="post-128774-_570cbe1pdhwx"></a>Additional Resources</h2>
<ul>
<li><a href="https://www.zerodayinitiative.com/blog/2023/4/21/tp-link-wan-side-vulnerability-cve-2023-1389-added-to-the-mirai-botnet-arsenal" target="_blank" rel="noopener">TP-Link WAN-SIDE Vulnerability CVE-2023-1389 Added to the Mirai Botnet Arsenal</a> - Zero Day Initiative</li>
<li><a href="https://unit42.paloaltonetworks.com/unit42-finds-new-mirai-gafgyt-iotlinux-botnet-campaigns/" target="_blank" rel="noopener">Unit 42 Finds New Mirai and Gafgyt IoT/Linux Botnet Campaigns</a> - Unit 42, Palo Alto Networks</li>
<li><a href="https://unit42.paloaltonetworks.com/unit42-multi-exploit-iotlinux-botnets-mirai-gafgyt-target-apache-struts-sonicwall/" target="_blank" rel="noopener">Multi-exploit IoT/Linux Botnets Mirai and Gafgyt Target Apache Struts, SonicWall</a> - Unit 42, Palo Alto Networks</li>
<li><a href="https://unit42.paloaltonetworks.com/mirai-variant-iz1h9/" target="_blank" rel="noopener">Old Wine in the New Bottle: Mirai Variant Targets Multiple IoT Devices</a> - Unit 42, Palo Alto Networks</li>
<li><a href="https://unit42.paloaltonetworks.com/mirai-variant-v3g4/" target="_blank" rel="noopener">Mirai Variant V3G4 Targets IoT Devices</a> - Unit 42, Palo Alto Networks</li>
</ul>
<h2><a id="post-128774-_yx22q2dfuwix"></a>Appendix</h2>
<p>Campaign-related vulnerability information is listed below:</p>
<p><a href="https://nvd.nist.gov/vuln/detail/CVE-2019-12725" target="_blank" rel="noopener"><strong>CVE-2019-12725</strong></a><strong>: Zeroshell Remote Command Execution Vulnerability</strong></p>
<p>This malicious traffic was first detected as a part of the campaign on March 14, 2023. The command execution vulnerability is due to the failure to sanitize the value of <span style="font-family: 'courier new', courier, monospace;">x509type</span> in the <span style="font-family: 'courier new', courier, monospace;">kerbynet</span> component of Zeroshell</p>
<figure id="attachment_128833" aria-describedby="caption-attachment-128833" style="width: 678px" class="wp-caption aligncenter"><img decoding="async" loading="lazy" class="wp-image-128833" src="https://unit42.paloaltonetworks.com/wp-content/uploads/2023/06/word-image-128774-4-1.png" alt="Image 4 is a screenshot of the Zeroshell remote command execution vulnerability. The name of the host is redacted." width="678" height="136" /><figcaption id="caption-attachment-128833" class="wp-caption-text">Figure 4. CVE-2019-12725 exploit in the wild.</figcaption></figure>
<p><a href="https://nvd.nist.gov/vuln/detail/CVE-2019-17621" target="_blank" rel="noopener"><strong>CVE-2019-17621</strong></a><strong>: D-Link DIR-859 Remote Command Injection Vulnerability</strong></p>
<p>We captured this exploit traffic on May 1, 2023. The exploit targets a command injection vulnerability in the D-Link wireless router’s <span style="font-family: 'courier new', courier, monospace;">/gena.cgi</span> component, which does not successfully sanitize the user input in the <span style="font-family: 'courier new', courier, monospace;">service</span> parameter. This leads to arbitrary command execution.</p>
<figure id="attachment_128835" aria-describedby="caption-attachment-128835" style="width: 678px" class="wp-caption aligncenter"><img decoding="async" loading="lazy" class="wp-image-128835" src="https://unit42.paloaltonetworks.com/wp-content/uploads/2023/06/word-image-128774-5-1.png" alt="Image 5 is a screenshot of the D-Link DIR-859 remote command injection vulnerability. The host has been redacted. " width="678" height="124" /><figcaption id="caption-attachment-128835" class="wp-caption-text">Figure 5. CVE-2019-17621 exploit in the wild.</figcaption></figure>
<p><a href="https://nvd.nist.gov/vuln/detail/CVE-2019-20500" target="_blank" rel="noopener"><strong>CVE-2019-20500</strong></a><strong>: D-Link DWL-2600AP Remote Command Execution Vulnerability</strong></p>
<p>The exploit was detected on April 11, 2023. The exploit works due to the D-Link wireless router <span style="font-family: 'courier new', courier, monospace;">admin.cgi</span> component failing to adequately sanitize the user-supplied input data, which leads to remote command execution.</p>
<figure id="attachment_128837" aria-describedby="caption-attachment-128837" style="width: 591px" class="wp-caption aligncenter"><img decoding="async" loading="lazy" class="wp-image-128837" src="https://unit42.paloaltonetworks.com/wp-content/uploads/2023/06/word-image-128774-6-1.png" alt="Image 6 is a screenshot of the D-Link DWL-2600AP remote command execution vulnerability. The host has been redacted. This exploit allows for remote command execution. " width="591" height="184" /><figcaption id="caption-attachment-128837" class="wp-caption-text">Figure 6. CVE-2019-20500 exploit in the wild.</figcaption></figure>
<p><a href="https://nvd.nist.gov/vuln/detail/CVE-2021-25296" target="_blank" rel="noopener"><strong>CVE-2021-25296</strong></a><strong>: Nagios XI Remote Command Injection Vulnerability</strong></p>
<p>We observed this exploit traffic on April 11, 2023. The exploit targets the Nagios XI device’s <span style="font-family: 'courier new', courier, monospace;">/nagiosxi/config/monitoringwizard.php</span> component. If insufficient input validation is found, the attacker can exploit the vulnerability to launch a remote command injection attack.</p>
<figure id="attachment_128839" aria-describedby="caption-attachment-128839" style="width: 678px" class="wp-caption aligncenter"><img decoding="async" loading="lazy" class="wp-image-128839" src="https://unit42.paloaltonetworks.com/wp-content/uploads/2023/06/word-image-128774-7-1.png" alt="Image 7 is a screenshot of the Nagios XI remote command injection vulnerability. The host has been redacted. The screenshot is of the exploit traffic. " width="678" height="184" /><figcaption id="caption-attachment-128839" class="wp-caption-text">Figure 7. CVE-2021-25296 exploit in the wild.</figcaption></figure>
<p><a href="https://nvd.nist.gov/vuln/detail/CVE-2021-46422" target="_blank" rel="noopener"><strong>CVE-2021-46422</strong></a><strong>: Telesquare SDT-CW3B1 Router Command Injection Vulnerability</strong></p>
<p>The malicious traffic was first detected on March 14, 2023. The command injection vulnerability is due to the failure to sanitize the value of the <span style="font-family: 'courier new', courier, monospace;">cmd</span> parameter in the <span style="font-family: 'courier new', courier, monospace;">cgi-bin/admin.cgi</span> interface of the Telesquare router.</p>
<figure id="attachment_128841" aria-describedby="caption-attachment-128841" style="width: 678px" class="wp-caption aligncenter"><img decoding="async" loading="lazy" class="wp-image-128841" src="https://unit42.paloaltonetworks.com/wp-content/uploads/2023/06/word-image-128774-8-1.png" alt="Image 8 is a screenshot of the Telesquare SDT-CW3B1 router command injection vulnerability. It is a screenshot of the malicious traffic with the host redacted. The important portion is the command parameter in the CGI bin. " width="678" height="121" /><figcaption id="caption-attachment-128841" class="wp-caption-text">Figure 8. CVE-2021-46422 exploit in the wild.</figcaption></figure>
<p><a href="https://nvd.nist.gov/vuln/detail/CVE-2022-27002" target="_blank" rel="noopener"><strong>CVE-2022-27002</strong></a><strong>: Arris TR3300 Remote Command Injection Vulnerability</strong></p>
<p>We captured this exploit traffic on April 14, 2023. The exploit targets a command injection vulnerability in the Arris TR3300’s <span style="font-family: 'courier new', courier, monospace;">user.cgi</span> component, which does not successfully sanitize the user input in the <span style="font-family: 'courier new', courier, monospace;">DDNS_HOST</span> parameter. This leads to a command injection.</p>
<figure id="attachment_128843" aria-describedby="caption-attachment-128843" style="width: 678px" class="wp-caption aligncenter"><img decoding="async" loading="lazy" class="wp-image-128843" src="https://unit42.paloaltonetworks.com/wp-content/uploads/2023/06/word-image-128774-9-1.png" alt="Image 9 is a screenshot of the exploit traffic of Arris TR3300 remote command injection vulnerability. The host has been redacted. The affected portion is part is the user.cgi component. " width="678" height="166" /><figcaption id="caption-attachment-128843" class="wp-caption-text">Figure 9. CVE-2022-27002 exploit in the wild.</figcaption></figure>
<p><a href="https://nvd.nist.gov/vuln/detail/CVE-2022-29303" target="_blank" rel="noopener"><strong>CVE-2022-29303</strong></a><strong>: SolarView Compact Command Injection Vulnerability</strong></p>
<p>This exploit was detected on March 15, 2023. The exploit works due to the SolarView Compact <span style="font-family: 'courier new', courier, monospace;">confi_mail.php</span> component failing to adequately sanitize the user-supplied input data, which leads to command injection.</p>
<figure id="attachment_128845" aria-describedby="caption-attachment-128845" style="width: 678px" class="wp-caption aligncenter"><img decoding="async" loading="lazy" class="wp-image-128845" src="https://unit42.paloaltonetworks.com/wp-content/uploads/2023/06/word-image-128774-10-1.png" alt="Image 10 is a screenshot of the SolarView compact command injection vulnerability. The host, origin, and referrer have all been redacted. " width="678" height="244" /><figcaption id="caption-attachment-128845" class="wp-caption-text">Figure 10. CVE-2022-29303 exploit in the wild.</figcaption></figure>
<p><a href="https://nvd.nist.gov/vuln/detail/CVE-2022-30023" target="_blank" rel="noopener"><strong>CVE-2022-30023</strong></a><strong>: Tenda HG9 Router Command Injection Vulnerability</strong></p>
<p>We observed this exploit traffic on March 14, 2023. The exploit targets the Tenda HG9 router’s <span style="font-family: 'courier new', courier, monospace;">/boaform/formPing</span> component. If insufficient input validation is found, the attacker can exploit the vulnerability to launch a remote code execution attack</p>
<figure id="attachment_128847" aria-describedby="caption-attachment-128847" style="width: 678px" class="wp-caption aligncenter"><img decoding="async" loading="lazy" class="wp-image-128847" src="https://unit42.paloaltonetworks.com/wp-content/uploads/2023/06/word-image-128774-11-1.png" alt="Image 11 is a screenshot of the Tenda HG9 router command injection vulnerability. The host has been redacted. The screenshot is of the exploit traffic. " width="678" height="172" /><figcaption id="caption-attachment-128847" class="wp-caption-text">Figure 11. CVE-2022-30023 exploit in the wild.</figcaption></figure>
<p><a href="https://nvd.nist.gov/vuln/detail/CVE-2022-30525" target="_blank" rel="noopener"><strong>CVE-2022-30525</strong></a><strong>: Zyxel Command Injection Vulnerability</strong></p>
<p>This malicious traffic was first detected on March 14, 2023. The command injection vulnerability is due to the failure to sanitize the value of the <span style="font-family: 'courier new', courier, monospace;">mtu</span> parameter in the <span style="font-family: 'courier new', courier, monospace;">/cgi-bin/handler</span> interface of Zyxel.</p>
<figure id="attachment_128849" aria-describedby="caption-attachment-128849" style="width: 678px" class="wp-caption aligncenter"><img decoding="async" loading="lazy" class="wp-image-128849" src="https://unit42.paloaltonetworks.com/wp-content/uploads/2023/06/word-image-128774-12-1.png" alt="Image 12 is a screenshot of the Zyxel command injection vulnerability. The host is redacted. The affected portion is the mtg parameter in the CGI bin. " width="678" height="188" /><figcaption id="caption-attachment-128849" class="wp-caption-text">Figure 12. CVE-2022-30525 exploit in the wild.</figcaption></figure>
<p><a href="https://nvd.nist.gov/vuln/detail/CVE-2022-31499" target="_blank" rel="noopener"><strong>CVE-2022-31499</strong></a><strong>: Nortek Linear eMerge Command Injection Vulnerability</strong></p>
<p>We captured this exploit traffic on May 1, 2023. The exploit targets a command injection vulnerability in the Nortek Linear eMerge device’s <span style="font-family: 'courier new', courier, monospace;">card_scan.php</span> component, which does not successfully sanitize the user input in the <span style="font-family: 'courier new', courier, monospace;">ReaderNo</span> parameter. This leads to remote command injection.</p>
<figure id="attachment_128851" aria-describedby="caption-attachment-128851" style="width: 678px" class="wp-caption aligncenter"><img decoding="async" loading="lazy" class="wp-image-128851" src="https://unit42.paloaltonetworks.com/wp-content/uploads/2023/06/word-image-128774-13-1.png" alt="Image 13 is a screenshot of the Nortek Linear eMerge command injection vulnerability. The host is redacted. The exploit affects the PHP code." width="678" height="120" /><figcaption id="caption-attachment-128851" class="wp-caption-text">Figure 13. CVE-2022-31499 exploit in the wild.</figcaption></figure>
<p><a href="https://nvd.nist.gov/vuln/detail/cve-2022-37061" target="_blank" rel="noopener"><strong>CVE-2022-37061</strong></a><strong>: FLIR AX8 Unauthenticated OS Command Injection Vulnerability</strong></p>
<p>This exploit was detected on May 1, 2023. The exploit works due to the FLIR AX8 device’s <span style="font-family: 'courier new', courier, monospace;">res.php</span> component failing to adequately sanitize the user-supplied input data, which leads to OS command injection.</p>
<figure id="attachment_128853" aria-describedby="caption-attachment-128853" style="width: 678px" class="wp-caption aligncenter"><img decoding="async" loading="lazy" class="wp-image-128853" src="https://unit42.paloaltonetworks.com/wp-content/uploads/2023/06/word-image-128774-14-1.png" alt="Image 14 is a screenshot of the FLIR AX8 Unauthenticated OS command injection vulnerability. The host has been redacted." width="678" height="178" /><figcaption id="caption-attachment-128853" class="wp-caption-text">Figure 14. CVE-2022-37061 exploit in the wild.</figcaption></figure>
<p><a href="https://nvd.nist.gov/vuln/detail/CVE-2022-40005" target="_blank" rel="noopener"><strong>CVE-2022-40005</strong></a><strong>: Intelbras WiFiber 120AC inMesh Command Injection Vulnerability</strong></p>
<p>We observed this exploit traffic on March 15, 2023. The exploit targets the Intelbras WiFiber device’s <span style="font-family: 'courier new', courier, monospace;">/boaform/formPing6</span> component. If insufficient input validation is found, the attacker can exploit the vulnerability to launch a command injection attack.</p>
<figure id="attachment_128855" aria-describedby="caption-attachment-128855" style="width: 678px" class="wp-caption aligncenter"><img decoding="async" loading="lazy" class="wp-image-128855" src="https://unit42.paloaltonetworks.com/wp-content/uploads/2023/06/word-image-128774-15-1.png" alt="Image 15 is a screenshot of the Intelbras WiFiber 120AC inMesh command injection vulnerability. It is a screenshot of the exploit traffic with the host redacted. " width="678" height="161" /><figcaption id="caption-attachment-128855" class="wp-caption-text">Figure 15. CVE-2022-40005 exploit in the wild.</figcaption></figure>
<p><a href="https://nvd.nist.gov/vuln/detail/CVE-2022-45699" target="_blank" rel="noopener"><strong>CVE-2022-45699</strong></a><strong>: APsystems ECU-R Remote Command Execution Vulnerability</strong></p>
<p>This malicious traffic was first detected on April 12, 2023. The remote command execution vulnerability is due to a failure to sanitize the value of the <span style="font-family: 'courier new', courier, monospace;">timezone</span> parameter in the <span style="font-family: 'courier new', courier, monospace;">/management/set_timezone</span>.</p>
<figure id="attachment_128857" aria-describedby="caption-attachment-128857" style="width: 678px" class="wp-caption aligncenter"><img decoding="async" loading="lazy" class="wp-image-128857" src="https://unit42.paloaltonetworks.com/wp-content/uploads/2023/06/word-image-128774-16-1.png" alt="Image 16 is a screenshot of the APsystems ECU-R remote command execution vulnerability. It is a screenshot of the malicious traffic with the host redacted. " width="678" height="85" /><figcaption id="caption-attachment-128857" class="wp-caption-text">Figure 16. CVE-2022-45699 exploit in the wild.</figcaption></figure>
<p><a href="https://nvd.nist.gov/vuln/detail/CVE-2023-1389" target="_blank" rel="noopener"><strong>CVE-2023-1389</strong></a><strong>: TP-Link Archer Router Command Injection Vulnerability</strong></p>
<p>We captured this exploit traffic on April 12, 2023. The exploit targets a command injection vulnerability in the TP-Link Archer router’s <span style="font-family: 'courier new', courier, monospace;">cgi-bin/luci</span> component, which does not successfully sanitize the user input in the <span style="font-family: 'courier new', courier, monospace;">country</span> parameter. This leads to arbitrary command execution.</p>
<figure id="attachment_128859" aria-describedby="caption-attachment-128859" style="width: 678px" class="wp-caption aligncenter"><img decoding="async" loading="lazy" class="wp-image-128859" src="https://unit42.paloaltonetworks.com/wp-content/uploads/2023/06/word-image-128774-17-1.png" alt="Image 17 is a screenshot, with the host redacted, of the exploit traffic of the TP-Link Archer command injection vulnerability. " width="678" height="180" /><figcaption id="caption-attachment-128859" class="wp-caption-text">Figure 17. CVE-2023-1389 exploit in the wild.</figcaption></figure>
<p><a href="https://nvd.nist.gov/vuln/detail/CVE-2023-25280" target="_blank" rel="noopener"><strong>CVE-2023-25280</strong></a><strong>: D-Link DIR820LA1_FW105B03 Command injection vulnerability</strong></p>
<p>The exploit was detected on April 11, 2023. The exploit works due to the D-Link device <span style="font-family: 'courier new', courier, monospace;">/ping.ccp</span> component failing to adequately sanitize the user-supplied input data, which leads to a command injection vulnerability.</p>
<figure id="attachment_128861" aria-describedby="caption-attachment-128861" style="width: 678px" class="wp-caption aligncenter"><img decoding="async" loading="lazy" class="wp-image-128861" src="https://unit42.paloaltonetworks.com/wp-content/uploads/2023/06/word-image-128774-18-1.png" alt="Image 18 as a screenshot of the D-Link DIR820LA1_FW105B03 command injection vulnerability. Redacted in the screenshot is the host, the origin, and the referrer." width="678" height="279" /><figcaption id="caption-attachment-128861" class="wp-caption-text">Figure 18. CVE-2023-25280 exploit in the wild.</figcaption></figure>
<p><a href="https://nvd.nist.gov/vuln/detail/CVE-2023-27240" target="_blank" rel="noopener"><strong>CVE-2023-27240</strong></a><strong>: Tenda AX3 Command Injection Vulnerability</strong></p>
<p>We observed this exploit traffic on April 12, 2023. The exploit targets the Tenda AX3 router’s <span style="font-family: 'courier new', courier, monospace;">/goform/AdvSetLanip</span> component. If insufficient input validation is found, the attacker can exploit the vulnerability to launch a remote command injection attack.</p>
<figure id="attachment_128863" aria-describedby="caption-attachment-128863" style="width: 678px" class="wp-caption aligncenter"><img decoding="async" loading="lazy" class="wp-image-128863" src="https://unit42.paloaltonetworks.com/wp-content/uploads/2023/06/word-image-128774-19-1.png" alt="Image 19 is a screenshot of the Tenda AX3 command injection vulnerability. In the exploit traffic, the host has been redacted. " width="678" height="179" /><figcaption id="caption-attachment-128863" class="wp-caption-text">Figure 19. CVE-2023-27240 exploit in the wild.</figcaption></figure>
<p><a href="https://community.broadcom.com/symantecenterprise/viewthread?MessageKey=098d8b01-0638-45cc-9261-99076b39d424&amp;CommunityKey=dc76b213-82a9-4676-ac30-f50188193ccc&amp;tab=digestviewer" target="_blank" rel="noopener"><strong>CCTV/DVR Remote Code Execution</strong></a></p>
<p>This exploit traffic was detected on March 14, 2023. The exploit targets a remote code execution in multiple CCTV/DVR devices’ <span style="font-family: 'courier new', courier, monospace;">/language</span> components. The component does not successfully sanitize the value of the HTTP parameter.</p>
<figure id="attachment_128865" aria-describedby="caption-attachment-128865" style="width: 678px" class="wp-caption aligncenter"><img decoding="async" loading="lazy" class="wp-image-128865" src="https://unit42.paloaltonetworks.com/wp-content/uploads/2023/06/word-image-128774-20-1.png" alt="Image 20 is a screenshot of the CCTV/DVR remote code execution. The exploit traffic has the host redacted. The exploit targets /language. " width="678" height="148" /><figcaption id="caption-attachment-128865" class="wp-caption-text">Figure 20. CCTV/DVR exploit in the wild.</figcaption></figure>
<p><a href="https://www.broadcom.com/support/security-center/attacksignatures/detail?asid=30364" target="_blank" rel="noopener"><strong>EnGenius EnShare Remote Code Execution Vulnerability</strong></a></p>
<p>We detected this exploit traffic on April 12, 2023. The exploit works due to the <span style="font-family: 'courier new', courier, monospace;">/cgi-bin/usbinteract.cgi</span> component of the EnGenius EnShare device failing to sanitize the value of the HTTP parameter <span style="font-family: 'courier new', courier, monospace;">path</span>.</p>
<figure id="attachment_128867" aria-describedby="caption-attachment-128867" style="width: 678px" class="wp-caption aligncenter"><img decoding="async" loading="lazy" class="wp-image-128867" src="https://unit42.paloaltonetworks.com/wp-content/uploads/2023/06/word-image-128774-21-1.png" alt="Image 21 is a screenshot of EnGenius EnShare exploit traffic. " width="678" height="103" /><figcaption id="caption-attachment-128867" class="wp-caption-text">Figure 21. EnGenius Enshare exploit in the wild.</figcaption></figure>
<p><a href="https://www.rapid7.com/db/modules/exploit/linux/http/mvpower_dvr_shell_exec/" target="_blank" rel="noopener"><strong>MVPower DVR Shell Unauthenticated Command Execution Vulnerability</strong></a></p>
<p>This malicious traffic was captured on April 11, 2023. The exploit works due to the MVPower DVR failing to sanitize user input, which in turn could lead to remote command execution.</p>
<figure id="attachment_128869" aria-describedby="caption-attachment-128869" style="width: 678px" class="wp-caption aligncenter"><img decoding="async" loading="lazy" class="wp-image-128869" src="https://unit42.paloaltonetworks.com/wp-content/uploads/2023/06/word-image-128774-22-1.png" alt="Image 22 is a screenshot of the MVPower DVR Shell unauthenticated command execution vulnerability. The host has been redacted. " width="678" height="113" /><figcaption id="caption-attachment-128869" class="wp-caption-text">Figure 22. MVPower DVR exploit in the wild.</figcaption></figure>
<p><a href="https://seclists.org/bugtraq/2013/Jun/8" target="_blank" rel="noopener"><strong>Netgear DGN1000 Remote Code Execution Vulnerability</strong></a></p>
<p>We captured this exploit traffic on March 14, 2023. The exploit targets the <span style="font-family: 'courier new', courier, monospace;">setup.cgi</span> component of Netgear DGN1000. The component does not sanitize the value of the HTTP parameter <span style="font-family: 'courier new', courier, monospace;">cmd</span>, which leads to remote code execution.</p>
<figure id="attachment_128871" aria-describedby="caption-attachment-128871" style="width: 678px" class="wp-caption aligncenter"><img decoding="async" loading="lazy" class="wp-image-128871" src="https://unit42.paloaltonetworks.com/wp-content/uploads/2023/06/word-image-128774-23-1.png" alt="Image 23 is a screenshot of a Netgear DGN1000 exploit command code execution vulnerability. The host has been redacted in the screenshot. " width="678" height="120" /><figcaption id="caption-attachment-128871" class="wp-caption-text">Figure 23. Netgear exploit in the wild.</figcaption></figure>
<p><a href="https://ssd-disclosure.com/ssd-advisory-vacron-nvr-remote-command-execution/" target="_blank" rel="noopener"><strong>Vacron NVR Remote Code Execution Vulnerability</strong></a></p>
<p>We observed this exploit traffic on March 14, 2023. The exploit targets the Vacron NVR device’s <span style="font-family: 'courier new', courier, monospace;">board.cgi</span> component. If insufficient input validation is found, the attacker can exploit the vulnerability to launch a remote code execution attack.</p>
<figure id="attachment_128873" aria-describedby="caption-attachment-128873" style="width: 678px" class="wp-caption aligncenter"><img decoding="async" loading="lazy" class="wp-image-128873" src="https://unit42.paloaltonetworks.com/wp-content/uploads/2023/06/word-image-128774-24-1.png" alt="Image 24 is a screenshot of the Vacron NVR remote code execution, vulnerability. The host has been redacted in the screenshot. " width="678" height="123" /><figcaption id="caption-attachment-128873" class="wp-caption-text">Figure 24. Vacron NVR exploit in the wild.</figcaption></figure>
<p><a href="https://www.f5.com/labs/articles/threat-intelligence/brickerbot-do-good-intentions-justify-the-meansor-deliver-meaningful-results" target="_blank" rel="noopener"><strong>MediaTek WiMAX Remote Code Execution</strong></a></p>
<p>The exploit traffic was first detected as a part of a campaign on April 12, 2023. The remote code execution vulnerability is due to the failure to sanitize the value of the <span style="font-family: 'courier new', courier, monospace;">SYSLOGD_REMOTE_HOST</span> parameter in the <span style="font-family: 'courier new', courier, monospace;">user.cgi</span> interface of a MediaTek WiMAX device.</p>
<figure id="attachment_128875" aria-describedby="caption-attachment-128875" style="width: 678px" class="wp-caption aligncenter"><img decoding="async" loading="lazy" class="wp-image-128875" src="https://unit42.paloaltonetworks.com/wp-content/uploads/2023/06/word-image-128774-25-1.png" alt="Image 25 as a screenshot of the MediaTek WiMAX remote code execution." width="678" height="149" /><figcaption id="caption-attachment-128875" class="wp-caption-text">Figure 25. MediaTek WiMAX exploit in the wild.</figcaption></figure>
          <div class="article__subscribe mb-40 text-gray-400 bg-gray-200 rounded-lg">
  <h4 class="h3 mb-10 text-black">Get updates from <br class="d-sm-none"> Palo Alto<br class="d-sm-none"> Networks!</h4>
  <p>Sign up to receive the latest news, cyber threat intelligence and research from us</p>
  <!-- <form action="https://app-guse4001.marketo.com/index.php/leadCapture/save2" method="post" novalidate class="subscribe-form py-25" name="Unit42_Subscribe"> -->
  <form action="https://www.paloaltonetworks.com/apps/pan/public/formsubmithandler.submitform.json" method="post" novalidate class="subscribe-form py-25" name="Unit42_Subscribe">
    <input type="hidden" name="emailFormMask" value="">
    <input type="hidden" value="1086" name="formid">
    <!-- <input type="hidden" value="818-CZC-273" name="munchkinId"> -->
    <input type="hidden" value="531-OCS-018" name="munchkinId">
    <input type="hidden" value="2141" name="lpId">
	<input type="hidden" value="1203" name="programId">  
    <input type="hidden" value="1086" name="formVid">
    <input type="hidden" name="mkto_optinunit42" value="true">
    <input type="hidden" name="mkto_opt-in" value="true">
    <div class="row">
      <div class="col-sm col-12 mb-sm-0 mb-15">
        <input type="email" name="Email" placeholder="Email address" class="subscribe-field d-block w-100 px-sm-25 px-15 bg-white" aria-label="Email">
        <p class="error-mail d-none mt-15 text-danger" style="color: #dc3545">Please enter your email address!</p>
      </div>
      <div class="col-sm-auto col-12">
          <input type="submit" value="Subscribe" class="btn btn--black btn--sm w-100" disabled="disabled">
      </div>
    </div>

    <div class="google-recapth mt-15">
      <div class="g-recaptcha" data-expired-callback="captchaExpires" data-callback="captchaComplete" data-sitekey="6Lc5EhgTAAAAAJa-DzE7EeWABasWg4LKv-R3ao6o"></div>
      <p class="error-recaptcha d-none mt-15 text-danger" style="color: #dc3545">Please mark, I'm not a robot!</p>
    </div>
  </form>

  <div class="font-size-ex-sm col-sm-7 p-0">
    <p>By submitting this form, you agree to our <a href="https://www.paloaltonetworks.com/legal-notices/terms-of-use">Terms of Use</a> and acknowledge our <a href="https://www.paloaltonetworks.com/legal-notices/privacy">Privacy Statement</a>.</p>
  </div>
</div>


        </div>
      </div>
    </div>
  </article>
<footer class="site-footer px-sm-0 px-15">
  <div class="pt-40">
    <div class="container pt-sm-30">
      <div class="row justify-content-lg-center">
        <div class="col-lg-11 col-12">
          <div class="row">
            <div class="col-lg-4 col-sm-3 col-12 order-sm-2">
              <nav class="footer-socials mb-sm-0 mb-25 text-white text-sm-right" aria-label="Footer Socials">
                                                <a href="https://twitter.com/Unit42_Intel" target="_blank" aria-label="Twitter"><span class="ui ui-4"></span></a>
                <a href="https://github.com/pan-unit42" target="_blank" aria-label="Github"><span class="ui ui-5"></span></a>
              </nav>
            </div>

            <div class="col-lg-8 col-sm-9 col-12 order-sm-1">
              <div class="row">
                <div class="col-sm col-12 footer-widget widget_nav_menu"><h4 class="h6 mb-15 font-weight-black">Popular Resources</h4><div class="menu-footer-company-phase-container"><ul id="menu-footer-company-phase" class="menu"><li id="menu-item-97096" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-97096"><a target="_blank" href="https://www.paloaltonetworks.com/resources">Resource Center</a></li>
<li id="menu-item-97097" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-97097"><a target="_blank" href="https://www.paloaltonetworks.com/blog/">Blog</a></li>
<li id="menu-item-97098" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-97098"><a target="_blank" href="https://www.paloaltonetworks.com/communities">Communities</a></li>
<li id="menu-item-97099" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-97099"><a target="_blank" href="https://docs.paloaltonetworks.com/">Tech Docs</a></li>
<li id="menu-item-97100" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-home menu-item-97100"><a href="https://unit42.paloaltonetworks.com/">Unit 42</a></li>
<li id="menu-item-97101" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-97101"><a target="_blank" href="https://www.paloaltonetworks.com/sitemap">Sitemap</a></li>
</ul></div></div><div class="col-sm col-12 footer-widget widget_nav_menu"><h4 class="h6 mb-15 font-weight-black">Legal Notices</h4><div class="menu-footer-legal-notices-phase-container"><ul id="menu-footer-legal-notices-phase" class="menu"><li id="menu-item-97093" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-97093"><a target="_blank" href="https://www.paloaltonetworks.com/legal-notices/privacy">Privacy</a></li>
<li id="menu-item-97094" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-97094"><a target="_blank" href="https://www.paloaltonetworks.com/legal-notices/terms-of-use">Terms of Use</a></li>
<li id="menu-item-97095" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-97095"><a target="_blank" href="https://www.paloaltonetworks.com/legal">Documents</a></li>
</ul></div></div><div class="col-sm col-12 footer-widget widget_nav_menu"><h4 class="h6 mb-15 font-weight-black">Account</h4><div class="menu-footer-trending-topics-phase-container"><ul id="menu-footer-trending-topics-phase" class="menu"><li id="menu-item-97102" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-97102"><a href="https://start.paloaltonetworks.com/preference-center">Manage Subscriptions</a></li>
<li id="menu-item-97103" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-97103"><a href="#" aria-label="menu-item">&nbsp;</a></li>
<li id="menu-item-97104" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-97104"><a href="https://www.paloaltonetworks.com/security-disclosure">Report a Vulnerability</a></li>
</ul></div></div>              </div>
            </div>
          </div>

          
            <div class="copyrights py-25 mt-40">
               <p>© 2023 Palo Alto Networks, Inc. All rights reserved.</p>
            </div>
          
        </div>
      </div>
    </div>
  </div>
</footer>
<form method="post">
<input type="hidden" id="_wpnonce" name="_wpnonce" value="57a483377c" /><input type="hidden" name="_wp_http_referer" value="/mirai-variant-targets-iot-exploits/" /></form>
<script type="text/javascript">
    const observer_lozad = lozad('.lozad, .lozad-background'); // lazy loads elements with default selector as '.lozad'
      observer_lozad.observe();
        if(referer == "Prisma" || referer == "Cortex" || referer == "Sase" || referer == "Unit" || referer == "Ngfw"){
	var Coveo_organizationId = "paloaltonetworksintranet";        
        var techDocsPagePath = "https://docs.paloaltonetworks.com/search.html#hd=All%20Prisma%20Cloud%20Documentation&hq=%40panproductcategory%3D%3D(%22Prisma%20Cloud%22)&sort=relevancy&layout=card&numberOfResults=25";
        var languageFromPath="en_US";
        window.Granite = window.Granite || {};
	Granite.I18n = (function() {
		var self = {};
		self.setLocale = function(locale) { };
		self.get = function(text, snippets, note) {
        	var out = "";
        	if(text){
        		if(text ==="coveo.clear"){
        			out = "Clear";
        		}else if(text ==="coveo.noresultsfound"){
        			out = "No results found for this search term.";
        		}
        	}
        	return out;
        };
        return self
	}());
}
/*
    var Coveo_organizationId = "paloaltonetworksintranetsandbox1";
    var searchResultsPagePath = "https://www.paloaltonetworks.com/search/prismasearch";
    var techDocsPagePath = "https://docs.paloaltonetworks.com/search";
    var languageFromPath="en_US";
    */
       	var main_site_critical_top = maindomain_lang+'/etc.clientlibs/panClean/components/mainNavigationComp/clientlibs/panClean/criticalTop.min.js';
	var main_site_defered = maindomain_lang+'/etc.clientlibs/panClean/components/mainNavigationComp/clientlibs/panClean/defered.min.js';
	var main_site_criticalTopBase = maindomain_lang+'/etc.clientlibs/panClean/components/mainNavigationComp/clientlibs/panClean/criticalTopBase.min.js';
	var main_site_criticalTopProductNav = maindomain_lang+'/etc.clientlibs/panClean/components/mainNavigationComp/clientlibs/panClean/criticalTopProductNav.min.js';
        window.PAN_MainNavAsyncUrl = maindomain_lang+"/_jcr_content/globals/cleanHeaderPrisma.prismaRenderer.html";

function loadScript(url, defer){
        var script1 = document.createElement('script');
        script1.setAttribute('type', 'text/javascript');
        script1.setAttribute('src',url);
        if(defer == true){
            script1.setAttribute('defer','defer');
        }
        document.head.appendChild(script1);
}
function loadScript1(url, callback){

        var script = document.createElement("script")
        script.type = "text/javascript";

        if (script.readyState){  //IE
            script.onreadystatechange = function(){
                if (script.readyState == "loaded" || script.readyState == "complete"){
                    script.onreadystatechange = null;
                    callback();
                }
            };
        } else {  //Others
            script.onload = function(){
                callback();
            };
        }

        script.src = url;
        document.getElementsByTagName("head")[0].appendChild(script);
}
if(referer == "Prisma" || referer == "Cortex" || referer == "Sase" || referer == "Unit" || referer == "Ngfw"){
	if(referer == "Unit"){
		loadScript(main_site_criticalTopBase, false);
		loadScript1(main_site_criticalTopProductNav, function(){
			window.PAN_initializeProduct2021Nav();
		});
		loadScript(main_site_defered, false);
	}
	else{
		loadScript1(main_site_critical_top, function(){
			window.PAN_initializeProduct2021Nav();
		});
		loadScript(main_site_defered, false);
	}
}
</script>
    <script type="text/javascript">
	var isProcessing = false; 
    function alter_ul_post_values(obj,post_id,ul_type){
	
		if (isProcessing)    
		return;  
		isProcessing = true;   
		var like_nonce = jQuery('#_wpnonce').val();
		jQuery(obj).find("span").html("..");
                jQuery.ajax({
                    type: "POST",
                    url: "https://unit42.paloaltonetworks.com/wp-content/plugins/like-dislike-counter-for-posts-pages-and-comments/ajax_counter.php",
                    data: "post_id="+post_id+"&up_type="+ul_type+"&ul_nonce="+like_nonce,
                    success: function(msg){
                            jQuery(obj).find("span").html(msg);
                            isProcessing = false; 
                            jQuery(obj).find('svg').children('path').attr('stroke','#0050FF');
                            jQuery(obj).removeClass('idc_ul_cont_not_liked idc_ul_cont_not_liked_inner');
                    }
 		});
	}
	</script>
    <link rel='stylesheet' id='wpdevart_lightbox_front_end_css-css' href='https://unit42.paloaltonetworks.com/wp-content/plugins/lightbox-popup/includes/style/wpdevart_lightbox_front.css?ver=6.1.1' type='text/css' media='all' />
<link rel='stylesheet' id='wpdevart_lightbox_effects-css' href='https://unit42.paloaltonetworks.com/wp-content/plugins/lightbox-popup/includes/style/effects_lightbox.css?ver=6.1.1' type='text/css' media='all' />
<script type='text/javascript' id='post-views-counter-frontend-js-extra'>
/* <![CDATA[ */
var pvcArgsFrontend = {"mode":"js","postID":"128774","requestURL":"https:\/\/unit42.paloaltonetworks.com\/wp-admin\/admin-ajax.php","nonce":"c398c012e3"};
/* ]]> */
</script>
<script type='text/javascript' src='https://unit42.paloaltonetworks.com/wp-content/plugins/post-views-counter/js/frontend.min.js?ver=1.3.12' id='post-views-counter-frontend-js'></script>
<script type='text/javascript' id='ppress-frontend-script-js-extra'>
/* <![CDATA[ */
var pp_ajax_form = {"ajaxurl":"https:\/\/unit42.paloaltonetworks.com\/wp-admin\/admin-ajax.php","confirm_delete":"Are you sure?","deleting_text":"Deleting...","deleting_error":"An error occurred. Please try again.","nonce":"05a9bc05f4","disable_ajax_form":"false","is_checkout":"0","is_checkout_tax_enabled":"0"};
/* ]]> */
</script>
<script type='text/javascript' src='https://unit42.paloaltonetworks.com/wp-content/plugins/wp-user-avatar/assets/js/frontend.min.js?ver=4.4.1' id='ppress-frontend-script-js'></script>
<script type='text/javascript' src='https://www.google.com/recaptcha/api.js' id='google/api-js'></script>
<script type='text/javascript' src='https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v5/dist/scripts/main.js' id='unit42/js-js'></script>
<script type='text/javascript' id='wpdevart_lightbox_front_end_js-js-extra'>
/* <![CDATA[ */
var wpdevart_lb_variables = {"eneble_lightbox_content":"enable","overlay_transparency_prancent":"80","enable_video_popuping":"enable","popup_background_color":"#000000","popup_loading_image":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/plugins\/lightbox-popup\/images\/popup_loading.png","popup_initial_width":"350","popup_initial_height":"300","popup_youtube_width":"640","popup_youtube_height":"410","popup_vimeo_width":"500","popup_vimeo_height":"410","popup_max_width":"5000","popup_max_height":"5000","popup_position":"5","popup_fixed_position":"true","popup_outside_margin":"0","popup_border_width":"2","popup_border_color":"#000000","popup_border_radius":"10","control_buttons_show":"true","control_buttons_show_in_content":"false","control_buttons_height":"30","control_buttons_line_bg_color":"#000000","control_button_prev_img_src":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/plugins\/lightbox-popup\/images\/contorl_buttons\/prev.png","control_button_prev_hover_img_src":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/plugins\/lightbox-popup\/images\/contorl_buttons\/prev_hover.png","control_button_next_img_src":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/plugins\/lightbox-popup\/images\/contorl_buttons\/next.png","control_button_next_hover_img_src":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/plugins\/lightbox-popup\/images\/contorl_buttons\/next_hover.png","control_button_download_img_src":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/plugins\/lightbox-popup\/images\/contorl_buttons\/download.png","control_button_download_hover_img_src":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/plugins\/lightbox-popup\/images\/contorl_buttons\/download_hover.png","control_button_innewwindow_img_src":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/plugins\/lightbox-popup\/images\/contorl_buttons\/innewwindow.png","control_button_innewwindow_hover_img_src":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/plugins\/lightbox-popup\/images\/contorl_buttons\/innewwindow_hover.png","control_button_fullwidth_img_src":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/plugins\/lightbox-popup\/images\/contorl_buttons\/fullwidth.png","control_button_fullwidht_hover_img_src":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/plugins\/lightbox-popup\/images\/contorl_buttons\/fullwidth_hover.png","control_button_fullwidthrest_img_src":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/plugins\/lightbox-popup\/images\/contorl_buttons\/fullwidthreset.png","control_button_fullwidhtrest_hover_img_src":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/plugins\/lightbox-popup\/images\/contorl_buttons\/fullwidthreset_hover.png","control_button_close_img_src":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/plugins\/lightbox-popup\/images\/contorl_buttons\/close.png","control_button_close_hover_img_src":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/plugins\/lightbox-popup\/images\/contorl_buttons\/close_hover.png","information_panel_show":"false","information_panel_padding_top":"0","information_panel_padding_bottom":"0","information_panel_show_in_content":"false","information_panel_bg_color":"#000000","information_panel_default_transparency":"100","information_panel_hover_trancparency":"100","information_panel_count_image_after_text":"Image","information_panel_count_image_middle_text":"of","information_panel_count_padding_left":"15","information_panel_count_padding_right":"4","information_panel_count_font_size":"20","information_panel_desc_padding_left":"15","information_panel_desc_padding_right":"4","information_panel_desc_font_size":"20","information_panel_desc_show_if_not":"true","information_panel_text_for_no_caption":"No Caption","information_panel_title_padding_left":"5","information_panel_title_padding_right":"5","information_panel_title_font_size":"15","information_panel_title_show_if_not":"true","information_panel_text_for_no_title":"No Title","information_panel_ordering":"{\"count\":[1,\"count\"],\"title\":[0,\"title\"],\"caption\":[0,\"caption\"]}"};
/* ]]> */
</script>
<script type='text/javascript' src='https://unit42.paloaltonetworks.com/wp-content/plugins/lightbox-popup/includes/javascript/wpdevart_lightbox_front.js?ver=1.0' id='wpdevart_lightbox_front_end_js-js'></script>
          
  </body>
</html>
